Identify cybersecurity communication gaps and ways to close them.
With both boards and management concerned about the effect lax cybersecurity can have on a company, it is essential that both groups work together to close communication gaps on the subject and continue toward the goal of effectively protecting the organization's information assets.
Common Communication Gaps
Is your board fully informed? Communication is a two-way street, and this is the starting point for many communication gaps between management and the board. We often find that boards are simply uninformed or, worse, have a false sense of security because management reports focus on achievements over risk reporting. Boards and executive leadership fulfill the responsibility, on behalf of the organization, to make informed decisions involving investments, strategic direction and more. The risk tolerance or appetite must be established by those very same stakeholders in an effort to balance the resources and priorities at their discretion. If leadership committees lack an appreciation of where residual risk exists across the operational control footprint, they cannot fulfill their duty to navigate the organization through efforts to improve the cyber risk posture.
Organizational gaps. Management is naturally inclined to present positively slanted perspectives relating to their functional responsibilities and therefore too often avoid the “difficult” conversation. As a result, leadership's perspective is often distorted or filled with “blind spots” concerning the true areas of risk. For organizations that are engaging in regular and consistent risk assessments, it is imperative that the results of those efforts be aggregated and shared with leadership. Establishing a common lexicon and structure for presenting residual risks is equally important so that the discourse between management and leadership can occur over stretches of time in alignment with a transformational maturation strategy or objectives. The board must define a common baseline understanding and revisit progress to address prioritized areas of risk. Improved trust between management and leadership can enhance the organization's efforts to appropriately focus time and resources on aligned goals and objectives. Doing so not only will raise risk transparency and allow leadership to fulfill its duties, but also will improve leadership's cyber IQ to ensure a greater appreciation for the significant challenge management faces in protecting the organization's critical information assets.
True cybersecurity vs. compliance requirements.Another common issue our team experiences is that leadership often misconstrues cybersecurity requirements as a sort of compliance checklist. In such cases, the quality of controls is distorted into a binary evaluation process that can create a false sense of security that an organization is meeting its objectives. Cybersecurity should be viewed in both depth and breadth, and the quality and extent of how control requirements are met is a spectrum to be considered in concert with risk impact and likelihood. This is an important concept to consider when evaluating the security risk posture of the organization, but it is sometimes dismissed in favor of a pass/fail perspective when it suits the needs of leadership. While there are certain cybersecurity measures that are legally required and regulated based on industries and footprint, these are a starting point, not the finish line. Don't let your organization underestimate cybersecurity residual risk for the sake of achieving a passing grade on a related compliance requirements assessment.
Communication Tips for Management
Be the expert. Remember: Board members and executives have full-time jobs, and their cybersecurity knowledge may be limited because their only exposure is a white paper or news articles.
Embrace teachable moments. Education is critical to understanding cyber risks. If board members want to know about a simple topic like phishing, use this as an opportunity to discuss related topics and strategies to mitigate risks. If you see unsafe behavior, use the opportunity as a teachable moment.
Don't be a gatekeeper. Bridge technical and nontechnical conversations by clearly and concisely stating risks, considerations and recommendations.
Be their news source. Raise awareness of the current threat landscape, communicate the constantly changing nature of cybersecurity and be candid about the risks facing your organization and steps to prevent incidents.
Quantify risk. Discuss the cost of doing nothing, including reputational and financial damage. Be clear that accepting the status quo is a risk and use data analytics whenever possible to help illustrate the cost associated with being unprepared.
Talk budget. Have open conversations about investments in cybersecurity and leverage benchmark comparisons where available to further illustrate the parity or disparity between your organization and your peers.