When Cyber Security Board Reports Fall Short
Telling the board about cyber security problems and plans can help a company be ready for and deal with cyber attacks.
Reporting cyber security to the board involves a delicate balance. Cyber security technical details need to be turned into strategic plans that match the organization's risk tolerance and business goals. Cyber security board reports take time and effort to get right - but what can go wrong?
Is your cyber security reporting hard for board members to understand?
The simple truth is that most cyber security board reporting fails due to a consistent set of issues.
Using too much technical language can confuse the board and make it hard to make good decisions. it's essential to communicate in terms the board can easily grasp. It’s your job to take something complex and make it simple. Risk dashboards are good, if they are specific and clear. On the other hand, if your report looks like the one illustrated here (with thanks to AI), it may be your last time in the boardroom for a while.
Not connecting cyber risks to business impact can overlook the importance of cybersecurity. It's crucial to understand how cyber threats can affect the company's finances, reputation, and operations.
Focusing only on following rules can overlook important security issues and new threats. Compliance is important, but it's not the only thing to consider.
Not taking cyber risks seriously can lead to complacency, while exaggerating them can cause panic and waste resources. Striking the right balance is key.
Appearing defensive is also a common issue. Board members are there for their judgement and insight, and will usually see straight through anything that sounds like less than the truth. They can also spot a lack of information; if you do not have enough data it is best to highlight the limitations and how you will be addressing them.
Giving unclear recommendations can confuse the board. Make sure suggestions are specific and actionable to help guide their next steps effectively. Recommendations should be specific, prioritized, and aligned with the organization's capacity to implement them.
Only discussing cyber security in the wake of an incident or during annual reviews is insufficient. Cyber security is a dynamic field, and regular updates are essential to keep the board engaged and informed.
The final frequent error is lengthy reporting. If you have done your job well, you may have multiple projects, metrics, reports and so on to summarise. Summarise them, and take no more than a couple of pages. If it's more than that, ask what can go in an appendix. Having done that, it's easy to drop the appendices from the report and make them available on request or in a reading room.
It's hard, because often you and your team have worked hard to do these. But remember that shorter letters take longer to write than long ones. Being succinct without losing specifics takes time, patience and challenge.
Cyber security board reports don’t have to be complicated. Credit: Dall-e
How can Chief Information Security Officers and cyber security leaders avoid these board reporting pitfalls?
Firstly, you almost certainly have allies. This may include a Chief Risk Officer or Chief Information Officer. They will do their own board reporting, and will be used to the needs of individual board members, including non-executive directors whom you may not see frequently. Ask other leaders them what they do, review their reports, and consider whether they are well received.
Ask them to review your report, or mentor you in delivering it. Often others can see things we can't because they have a different perspective. That includes spotting things that make sense to us, but not to anyone else.
Consider whether your reporting is consistent with other leaders who are reporting on similar areas such as risk and IT. Are you sending the same message, or a different one? If different, consider socialising it beforehand with other leaders and explaining why you are taking this to the board.
That does not always mean modifying your message: There was a time when I was advised by many not to mention that we had significant issues to tackle. Surprisingly to many, this was precisely the message the board wanted to hear. Because I had shared and discussed this plan in advance, once the board approved it, the need for a major cyber security program was accepted by senior management, even though the cost impacted other executives’ plans.
Do also familiarize yourself with your board. It's highly likely that board members will be open to telling you directly what they expect, and it's often possible to arrange an informal meeting. Be ready with questions. Learn a little about your board members and the other boards they are part of. Ask them about their experiences and what they found beneficial and effective.
Lastly, prepare and rehearse. In some instances, it took me over a year to perfect a basic template for board reporting, and then a few more years to fine-tune it according to the needs of board members and shifts in the board of directors' priorities and objectives.
Creating board reports is not a simple task, especially in technical domains like cyber security where it's challenging to obtain quantitative data that aligns financial impact or business goals. Effective boards will comprehend this and be ready to collaborate with you on it.
Nonetheless, bear in mind that the majority of the effort lies in the planning and interaction. A presentation to an IT team that lasts an hour might require 10 hours to draft and prepare, while a board presentation of 10 minutes might necessitate 100 hours of preparation.
If you're pressed for time, view it as a chance to pose these questions and initiate a conversation about their expectations. Board members will almost invariably appreciate the transparency and engagement.
