The unscheduled power outage experienced by three Ukrainian power companies on 23 December 2015 was a game changer. It was a high profile cyberattack on the national infrastructure, which caused significant disruption to the electricity supply to a large number of customers.
Although the frequency of an attack of this scale is low, it shows how an aggressive cybersecurity attack can seriously impact business operations – and customers. Board-level reporting for cybersecurity and technology risk is becoming commonplace due to the severity these attacks can have on a business, but most organizations aren’t very good at it.
Gartner believes that by 2020, all large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually, up from 40 percent today.
Most boards will ask security and risk management leaders to present to them on the state of security because it’s part of the board’s fiduciary duty, not because they’ve suddenly become cybersecurity enthusiasts..
They may not understand cybersecurity and risk, but they do care about the impact to the business, its customers and bottom-line revenue.
Align security with business impact
Most boards won’t have many technology-savvy members, so trying to teach them to understand security and the relevant technology is unlikely to be productive or useful to them.
What board directors care about is:
- Strategy, not operations
- Risk oversight, not management
- Business outcomes, not technology details
- A clear responsibility
Put cybersecurity in terms they can understand and that aligns with business decisions and outcomes. Tell them what they need to know, what they have a legal obligation to know and reassure them that there is a pathway to ensure that material risks are being managed.
You need to help them meet those obligations, but equally you don’t want to overplay the danger because you could undermine your own position. That will lead to the board losing confidence in you, or you’ll make enemies, which isn’t an effective way to go about fixing problems.
What not to tell them
The board won’t be interested in every piece of malware that comes into an organisation. If someone gets a virus on their machine and infects six workstations with no significant business impact, directors don’t care. But if it becomes more serious with the potential to disrupt the business, whatever the core business process happens to be, they’ll need to be informed.
Use fear, uncertainty and doubt sparingly. The board doesn’t want to hear the doom and gloom. Directors are interested in ensuring that solutions are, or will be, in place. They’re also interested in how the organization is meeting its business aspirations, and what the security practitioners are doing to help achieve them. It’s a fine balance and it takes skill to convey the message.
What to tell them
Acknowledge that there will be incidents from time to time – it happens in most organizations – but reassure them that they will be managed. You may not be able to avoid every potential incident, but what you can control is how you prevent them, and then how you respond when they do occur.
Security and risk professionals should:
- Position the discussion within a business context that is relevant to board-level decisions, while avoiding issues that are relevant only to IT personnel and IT decision making.
- Adopt a fact-based approach and avoid blaming individuals. Focus on the current situation and the plan of action to resolve it.
- An incident is a potential opportunity to remedy systemic or legacy problems, but continue to balance the needs to protect the organization against the needs to operate the business.
- Finish discussions with an “ask” of the board to engage members in the process.
The author is a Research Director at Gartner