Why Are Boards Interested in Cybersecurity?
Gartner predicts that by 2025, 60% of organizations will be using cybersecurity risk as a key factor in assessing business activities.
Given this rising demand, corporate board members are starting to ask more specific questions about security operations.
If you are not accustomed to these types of conversations, it may be hard to determine an appropriate response. While the exact circumstances that your organization is responding to are unique, board concerns tend to follow a pattern.
The cybersecurity questions your board asks you will probably include some version of the following 5 questions:
- How Did This Happen?
- Can We Defend Ourselves With 100% Certainty?
- Are We Doing Better Than Our Competitors?
- How Are We Mitigating Risks?
- Why Are We Spending So Much On Cybersecurity?
1. How Did This Happen?
You are most likely to hear this question after your organization has already faced some type of security incident. Whether you are dealing with the aftermath of a full scale data breach or explaining why you need to resolve the vulnerabilities that compromised a particular endpoint, the board wants to know how you got here.
This type of conversation could be unpleasant, since cyber threats can cause significant harm to your organization. According to IBM’s recent report, the average cost of a data breach in 2021 was more than $4m. Given these significant losses, handle your response with care and stick to the facts.
Remind the board that security incidents are bound to happen and any organization always faces some level of cyber risk. Explain what you know and outline what information you might still be missing. Relate all information in terms of business impacts rather than technology.
Provide a mitigation plan and tie any long-term recommendations to business objectives and resulting cost savings from improved security posture.
2. Can We Defend Ourselves With 100% Certainty?
Unfortunately, it’s likely that not all board members will understand cybersecurity.
You may hear some version of this question as the board asks you how you can secure the company with complete certainty. Explain that it is impossible to fully guard your organization against cyber threats. Instead, provide alternative goals that are grounded in realistic objectives.
Help the board understand that the goal of your security operations is not to eliminate any potential vulnerability but instead to mitigate risk. Outline how your security program addresses business risks and manages highest priority vulnerabilities. Demonstrate that you are allocating resources for the highest impact on your security posture.
While you can never eliminate cyber risk, you can address your vulnerabilities based on your risk profile.
3. Are We Doing Better Than Our Competitors?
When a high profile security breach at another company makes the news, your board may ask you how your organization stacks up against them.
In response, help them assess the current risk profile of your organization. Use that headline as a jumping off point for a broader discussion about improving your cyber maturity.
Identify any similar weaknesses in your own company and prepare a plan to address them.
4. How Are We Mitigating Risks?
While your board understands the business risks affecting your organization, they may not have a clear picture of how cybersecurity relates to them.
Assure them that you are aware of business objectives and your organization’s risk tolerance. Explain how you use those factors to guide your security program. Ideally, you should connect your cybersecurity performance with financial metrics familiar to the board.
5. Why Are We Spending So Much On Cybersecurity?
Without a clear understanding of what impact cybersecurity has on the organization at large, the board may not understand how your budget is being used.
Frame your answer in terms of ROI rather than the underlying technology. Explain how you are allocating resources to achieve business objectives. Use data to back up your claims.
Overall, while the security questions the board may ask you can be difficult to answer, remember why they are asking them in the first place.
Cybersecurity is not an isolated part of your organization. Help the board see how your work improves the company’s financial performance and protects your brand’s reputation.
If you’d like to learn how to better align your security operations with your enterprise risk profile, reach out to us at Pareto Cyber for a free assessment of your current cyber maturity.