Elevating cyber risk conversations to the boardroom

Supply chain attacks highlight the criticality of third-party risk management, and cyber risk conversations in the boardroom is now more important than ever. 

Amidst an ever-evolving cyber threat landscape and increasingly sophisticated cyber-attacks, having cyber risk assessment conversations in the boardroom is now more important than ever.

Continuing supply chain attacks, for instance, highlight the criticality of third-party risk management and the need for thorough assessment of an organisation’s cyber supply chain and third-party vendor network, as well as swift and coordinated communication to affected users.

Establishing cyber risk appetite at the boardroom level

Effective risk management starts with determining an organisation’s appetite for risk. Risk assessment has always been central to business viability, and board members are well aware of how they can assess and navigate business and reputational risk. Cyber risk, however, often requires CISOs to step in and educate board members who may not be all that familiar with the topic.

Firstly, CISOs and board members need to come to a consensus on the assets they are trying to protect, why they are protecting them, and from whom. Only with an agreed and documented risk appetite statement can everyone assess the existing risk management strategy, identify gaps and manage risk in any meaningful way.

A scaled approach to managing risk

Once the stakeholders have determined the organisation’s risk appetite, these are the five key areas that CISOs need to look at and communicate to the board:

• Situational Awareness – Start high level and determine what are the current and emerging threats. Drill into the relevance of these threats for your industry, your organisation, and your lines of business. What is driving these risk factors, and how is your organisation reacting to them?
• Security Incidents – Review security incidents for the board’s awareness in the reporting period – how did we respond? Is the root cause addressed and completely resolved? Or does risk persist but is mitigated in some way?
• Risk Appetite – As mentioned above, review the organisation’s current risk assessment – is this within appetite or do we have to work at bringing it within appetite?
• Security Capability – Measure and communicate the maturity assessment of your existing security capability. This is best done as a comparison, either against industry frameworks like NIST, or against industry peers, if you have this information.
• Strategy – Communicate strategy and execution against that strategy
  • Strategy should look further ahead than 12 months, and take into consideration longer term implications for the organisation
  • Execution upon strategy should clearly link to what has been presented in a prior session, so that the board have a clear picture of how the risk mitigation strategies are progressing

Explaining cyber risk assessment strategies to the boardroom

CISOs then need to communicate the business value of risk management in a way that is well understood by members of the board. This can be done by illustrating the potential repercussions of any breach – what is the impact to the company’s business and its reputation? What is the impact on revenue and share price, as well as on other stakeholders such as employees, customers, and regulatory bodies?

Tabletop exercises, where company executives and management take part in roleplays of various scenarios, are a good way to bring across these potential impacts in a realistic way. CISOs and board members alike will be able to assess the company’s crisis preparedness, its issues and crisis management response, as well as prepare for a variety of real-world scenarios.

How CISOs and boardrooms can bridge the risk gap effectively

With the growing number of cyber risks, companies need to be mindful of where to invest limited resources to mitigate potential security threats. CISOs and board members can assess the effectiveness of their existing risk management and security measures through a number of consistent and repeatable metrics, such as:

• The number of security incidents per reporting period, time taken to identify these incidents, and time taken to remediate them
• Patching cadence of primary operating systems or applications
• Awareness measures such as phishing simulation and reporting
• Third Party Risk Management measures including supply chain vulnerabilities and critical supplier risk assessments, and
• Recovery metrics covering business continuity and disaster recovery planning and testing

These metrics should be provided to board members in a consistent and comparable way as pre-reading, so meetings can focus on productive discussion and decision-making. In this way, CISOs and board members will be better able to identify areas they need to prioritise and invest in.  

Consider best-of-breed approach to risk management strategies

Another factor that CISOs need to contend with is the fact that there is always limited time, resources and manpower but a never-ending list of existing and emerging threats.

Given these constraints, CISOs not only have to prioritise the threats they need to address, but also ascertain whether their in-house capabilities are sufficient or robust enough to deal with those threats.

It might be wise to consider deploying best-of-breed solutions that are already available on the market, which are already secure, scaled for growth, cloud-native and future-ready. This will help CISOs free up precious talent and resources to work on more strategic matters within the organisation.