Communicating Cyber Risk to the Board

A confluence of accelerating trends, including digital transformation and growing cybercrime, have elevated cybersecurity from back-room function to board-level agenda item in recent years. The CIO at the Australian subsidiary of a multinational audit, tax, and advisory firm has had a front row seat for this transformation, watching his board’s interest in cyber risk and cyber security strategy ramp up significantly during his decade in the role.

Yet, cybersecurity strategy vies for attention with a multitude of corporate governance matters on the board’s plate. “They meet for three hours, and they probably have 20 hours of content to cover: mergers and acquisitions, divestitures, financials and accounting, legal risks, strategy, talent issues, a pandemic,” said the CIO. “The capacity left for cyber is quite small.”

As noted in a Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, a report on cybersecurity board communications, the demand for resources required to manage the cyber risk of increasingly distributed technology environments and an expanding threat landscape continues to grow. In-depth interviews with 78 business and security leaders in 13 countries about perceptions of cyber risk at the C-suite and board level found that in order to ensure ongoing board support, cyber and technology leaders must clearly communicate cyber risk and the critical role cybersecurity strategy plays in protecting the business. 

Thus, this CIO — like most of his peers— must make the most of limited time with the board. “You have to really focus in on the information that your stakeholders need, not what the technology person wants to tell them,” he said in an interview.

Over the years, the CIO has discovered what works well in board communications — regular and transparent reporting, storytelling and graphics — and what doesn’t. “Don’t overpromise,” he advises other technology and cyber leaders, “And never try to put anything over on them.” His approach has not made him the most popular member of the C-suite, as he may poke cyber risk holes in otherwise well-regarded business strategies or transactions. And there remains fuzziness around board ownership of cyber risk, which he’d like to clarify. But the approach has earned the CIO the trust of the board and has helped increase funding for an effective cybersecurity strategy.

The Value of Radical Transparency

The firm’s board is made up of a mix of external members (with backgrounds in business leadership) and firm partners (with backgrounds in accounting). Few have extensive cybersecurity understanding. That, in directors’ minds, is the CIO’s job. “They expect the relevant internal teams to be on top of any concerns and provide high-level reporting regularly,” the CIO said.

Cyber risk is a component of the firm’s comprehensive technology risk program, which is distinct from its enterprise governance risk and compliance program. The CIO provides the board a monthly cyber risk report. In the past, he delivered a 20-slide deck, which, over time, has become a one-pager. The goal is to distill, he said, not overwhelm.

“Over the years, there’s been more demand from the board for greater transparency when we present,” the CIO said. “In the past, barely anyone asked a question. Now it’s just bang, bang, bang.” That’s a good thing; the real knowledge sharing happens during Q&A.

The CIO has learned the importance of providing context to help the board assess cyber risk. One member, for example, asked if the firm had been attacked. The answer, of course, is that every organization is being attacked all the time. Without some background, however, that information would fan flames of fear. Instead, the CIO came up with a chart — a graphical representation of attempted attacks, defenses in place and successful attacks — that he delivers each month. Rather than telling the board there were 30,000 phishing attacks (causing members to spit out their coffee), the chart illustrates the effectiveness of the cyber security tools, training, and processes the board has funded. “They appreciate our distilling the information into a manageable amount of data,” the CIO said.

Quantifying Cyber Risk

Still, putting a hard number on the value of cyber investments is difficult. “One challenge is explaining the power of nothing — the effort it takes to not be breached,” the CIOs explained. “It is very hard to quantify cyber risk without a significant breach, and it all turns on a dime once there is one.”

The CIO made his points using three high-profile breaches that happened over a three-month period to other Australian companies in 2022. The country’s top health insurer suffered a ransomware attack, exposing individuals’ private medical information. A major telecom provider had to rebuild its 10 million customer database to determine which customers’ data had been exposed. An online retailer owned by a major grocer reported that compromised user credentials were used to harvest data on millions of customers.

The trio of breaches made the board nervous. “Everyone was on edge,” he said. But the news also led to more discussions about cyber risk and the value of technical controls and cybersecurity awareness training. For example, the telecom breach was the result of an unsecured API exposed on the Internet. The firm’s CIO had long invested in an ethical hack of the company’s servers any time it put something Internet-facing onto its network, and that wasn’t cheap. Following the telecom attack, he could clearly illustrate the value of that investment. “It gave us an opportunity to demonstrate what we have in place that the board may not have understood before,” he noted. 

Cyber Diligence: The Upside of Being the Bad Guy

While cybersecurity is an increasingly important topic in the C-suite and among board members, the CIO’s role in mitigating cyber risk is hardly a popularity contest. “There’s a perception that I’m on the conservative side, which creates trust among board members,” the CIO said. “But it also makes me unpopular. It’s a really strange tightrope to walk.”

He pointed out, for example, that a new application that other companies had adopted actually wasn’t secure enough. “We didn’t go ahead with the implementation, but it was a really unpopular decision because everyone thought the product looked great,” the CIO said. When those big breaches made headlines, however, the CIO explained to the board how going ahead with that vendor may have opened the firm up to a significant vulnerability. “They were able to connect the dots and understand why,” he said.

Another time, his team determined that a breach was happening — and investigated how attackers got in — stopping the attack before significant damage was done. But the investigation ruffled some feathers. “Some parts of corporate culture are unhelpful when trying to mitigate an attack,” he said. “But cybercrime has no time for image.”

The CIO, of course, is the one who has to ask the hard questions of a vendor (he instituted a “cloud checklist” to ensure suppliers have adopted industry standards for cybersecurity) or bring up a cyber risk issue that could impact an acquisition or merger. It’s earned him a reputation as a naysayer, but someone has to do it. In some organizations, Mimecast’s forthcoming report points out, “fundamental business decisions — such as mergers and acquisitions, third-party vendor contracts, and supply chain partnerships — are now being shaped around levels of cyber risk.” While the CIO is not involved in early discussions about major strategy or transactions, he always performs due diligence on M&A targets once he’s gotten wind of plans afoot. “There are some really smart things you can do to add value to the negotiation process — but it’s also a really good idea just to know what you’re getting into,” he pointed out.

Board Trust Boosts Cybersecurity Budget

At the end of the day, the board doesn’t care if people like the CIO’s assessments. They care if he’s right. And over time, he’s proven the value of his decisions. “It’s all about governance for the board,” the CIO said. “They can’t overrule a decision on cybersecurity because it’s not popular.”

On the contrary, the board has developed significant trust in the CIO. He’s grown his team fourfold and secured 15% annual budget increases — three times the global average cited by Gartner — which has helped to fund greater cybersecurity automation. “The board recognizes that this is important. I think we’ll see that investment grow,” he said. He credits that in part to the credibility that comes from being forthright and trustworthy and in part to breaches in the news and new regulations establishing increased fines. 

Still, there always is more to be done. The CIO would prefer the board approached security less as a reaction to legislation and more from an understanding of how the firm’s corporate cybersecurity posture impacts its competitive stance. But for now, the CIO said, “to have board support is a good outcome.”

The Bottom Line

Transparency, context, and storytelling help demystify cybersecurity strategy for board members with limited cybersecurity experience. Regular reporting and frank discussions, including time for questions and answers, helps to build trust with the board and ensure adequate funding for cybersecurity strategy. Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.