With the global cyber events of recent weeks and months, I wonder how many Boards have met with their security leaders for the first time or after a long hiatus between updates. Are security leaders nervously waiting outside board rooms all over the globe for an impromptu meeting which brings that fated question “have we done what we can to address the potential impact of [insert latest breach here]”? (I’m secretly hoping they no longer ask ‘are we secure’ given this is impossible to achieve).
So, if the board are itching to hear from you as the Head of Cyber Security, what is the best way to approach them at a time when what they are probably hearing are alarm bells?
Start with the ultimate outcome they are after and address this upfront – which requires you to know your audience. Boards are made up of people who are only human and their concerns branch from uncertainty and a lack of information. Increasing their knowledge as to the current state of security affairs for your organisation needs to be at the centre of everything you say/present. While it’s important to mention the bigger picture, keep your message short, valid and business-relevant to provide a clear view of the current risk and the pathway you have planned to minimise and mitigate against the recent events. Be prepared for questions to come as soon as you enter the room. Think of all the questions you hope they won’t ask and consider how you would answer these. The outcome you are after is to provide certainty that cyber risk is being addressed within the organisation.
Through your content delivery, educate the board on the key concepts and language that is relevant to the situation while keeping technical terms to a minimum. This is your chance to ensure any later written updates can be conveyed in context and be well received. This will be easier if the Board is already across your cyber security strategy (including the approach you take when incidents arise). Many organisations include cyber risk in their corporate risk registers (its often #1), but not all are socialising the strategy on how this risk is being addressed up to Board level. Regular, engaging strategic updates are key – so when incidents happen unexpectedly, the Board are already up to speed on who you are and the progress made towards improving security maturity for the organisation.
And, if despite investigation, analysis and advice, you’re still unsure if your organisation is out of the woods, be upfront about it. Its ok to provide an update, be honest about the current state of affairs and commit to coming back to them as data comes to hand and/or when you need their support. Given the rising number of cyber events having larger scale impact on businesses globally, how will you prepare for your next presentation to the Board?