Cybersecurity risk remains the top global business risk that executive leaders and risk management stakeholders are most concerned about. It’s the fourth consecutive year that surveys have revealed this, and it’s no surprise, given mounting breach costs, escalating cybercriminal activity (along with geopolitical unrest), and increasing regulatory oversight.

In particular, regulators are stepping up their efforts to ensure that organizations are incorporating cyber risk management into their strategic planning at the highest levels. Increasingly, this means greater scrutiny of cyber practices among boards. In the U.S., for instance, the Securities and Exchange Commission (SEC) recently proposed a rule requiring boards to report on how many of their members have cybersecurity expertise. Although the proposal was not ultimately enacted, it reflects a broader trend of growing oversight that continues to develop across regions and jurisdictions.

As the threat landscape and regulatory climate continues to evolve, boards are stepping up their efforts to understand how effectively organizations are mitigating present-day cyber risks. But they’re also asking pointed questions about costs, ROI, and benchmarking against industry peers, as persistent inflation threatens margins in many industries.

CISOs are increasingly finding themselves in the hot seat. It’s their responsibility to communicate with boards and executive leaders, but they don’t always speak the same language as their audiences. Many CISOs have deep technical backgrounds, but board members and executives are most concerned with the bigger picture: how can they be confident that the business’s investments in cyber risk reduction are paying off?

Once you’ve developed an effective board reporting strategy, you can have confidence in your ability to get your board on board with your security program plans.

Be prepared

It sounds obvious, but still rings true: the better you prepare for your board presentation, the more successful it’s likely to be. Set aside time in advance of the meeting to get ready to answer the board’s questions, bringing as much data to the table as possible to demonstrate that you’re well informed.

Know which questions CISOs are asked most often by boards. In a recent survey of security leaders that we conducted in conjunction with our Client Advisory Council, we learned that the following questions are the most frequently asked by board members:

• Are we secure? How do we know?
• How do we know if we have been hacked or breached?
• Are we spending the right amount on our cybersecurity program?
• How do we compare to peers within the same industry?
• How effective is our security program?

According to our research, the most frequently-asked question is also the most difficult for CISOs to answer, with individual security leaders spending an average of 10 to 20 hours preparing their responses. This question is hard-hitting because it touches on so many key aspects of cyber risk management. First of all, it’s impossible to provide a simple “yes or no” answer to a question that actually needs to be addressed in terms of acceptable levels of risk. No organization can be 100% secure, 100% of the time, since some risks (such as insider threats or human error) can never be entirely mitigated. Secondly, the question implies that there’s an ongoing need for board-level visibility into vulnerabilities, threats, and the risk landscape. This isn’t wrong, but begs the question of how CISOs can find and deliver the right information so that it’s intelligible and accessible.

Apply an industry standard security framework

“Are we secure?” can and should serve as a conversational bridge to an industry standard security maturity model or framework such as the International Organization for Standardization (ISO) 27000 series or the National Institute for Standards and Technologies (NIST) Cybersecurity Framework (CSF). These frameworks outline processes, policies, and procedures for implementing and managing information security controls, providing a best practices-based blueprint for mitigating real-world risk. Because they’re concrete and standardized, they can serve as a benchmark against which the organization can easily measure its progress.

Once board members understand the framework that the organization is using, they’ll also have a means of answering questions about how the security program compares to those of industry peers, as well as how to assess its effectiveness. The framework provides evidence of where the company is on its cybersecurity journey. This can be incorporated into a discussion about current levels of risk, and whether these are at, above, or below the levels that board members deem acceptable.

Lean on benchmarks

A chief concern of board members is how the organization stacks up against its peers in other areas, too. Spending is chief among these, unsurprisingly, but it can be challenging to figure out how much other organizations are budgeting for security, since that information is often sensitive and confidential.

Research firms like Gartner and Forrester can provide vertical-specific information on security spending, which can then be tweaked to take into account factors like organization size and maturity level. Younger and more innovative firms tend to spend more on security than their more traditional peers, too. CISOs can also learn from their peers. By participating in forums and cyber communities, they can gain insights into industry trends and how other programs are advancing their maturity.

It’s all about relationships

Ultimately, the better CISOs get to know individual board members by understanding their backgrounds, priorities, and communication preferences, the more likely they are to engage them and gain their support.  The rapport that comes with face-to-face meetings can be invaluable here. So can standardizing on a presentation format that’s easy to understand, visually appealing, and liked by members of the board.

Winning board communication strategies are all about the data, but they also require mastery of the art of storytelling. Presenting clear evidence of control effectiveness is important, as it tying these facts to desired business outcomes. But it’s also critical to provide context by explaining how the program is advancing, why the organization’s investments are worthwhile, and how these efforts compare to those of industry peers.

Need help winning board-level backing for your cybersecurity program? Or assistance facilitating effective communications? Kudelski Security’s Advisory Services offer tailored, strategic support for CISOs looking to deliver high-impact presentations, earn sponsorship, and own the role of business leader.

Contact us today to learn more.