Board-level cyber discussions: communicating clearly is new guidance from the UK official National Cyber Security Centre (NCSC).
Offered are tips to help a CISO (chief information security officer) engage strategically with a board to improve oversight and management of cyber security risk, says the NCSC. They argue that cyber security is a strategic issue, which means you the CISO must engage with boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated. Most board members do not have in-depth cyber knowledge.
The idea is to ‘calibrate your output for your audience’; while you the CISO are the ‘subject matter expert’, the conversation will start, the NCSC suggests, in terms of the business risk appetite. Cyber is a risk – talk about it as such, the NCSC states; and be honest and matter of fact. “In practice this means decomposing the threat landscape into clearly stated risks, in natural language, then grading the likelihood and impact of those risks. Where possible, quantify and make the risks tangible, using precise language. You should reserve โdoomsday scenarioโ language and hyperbole for risks that really really warrant it,” the NCSC states.
High-profile incidents present an opportunity to inform, update and advise. When cyber hits the news, which it frequently does, use the story to put a short briefing together, the guidance document says. In sum, the NCSC advises that you ‘own the problem’, and ‘provide a holistic view’ which takes in besides cyber security, IT infrastructure, infosec (information security) and online fraud.
Itโs not your role, the guidance stresses, to train them to do your job, ‘but instead to put them in a position where they can make informed decisions about corporate strategy and cyber risks. Boards do this all the time with different type of risk, such as financial risk, and one of the Boards functions is to approve statutory financial accounts. They can do this without understanding the intricacies,’ the NCSC says. As finance expects audit and health and safety can expect to be inspected, so cyber should be open to external scrutiny, the NCSC suggests.
The NCSC adds that the most frequent complaint from boards is that cyber experts use technical language and jargon when describing unfamiliar topics. “Given this, it’s no surprise that many board members struggle to unpick and engage with cyber security. Whilst the appropriate level and language to communicate will depend on the organisation, natural language thatโs free from jargon and acronyms is the order of the day. Simple descriptions will always work better.” Stressing clear language, the NCSC argues that ‘less is more’.
Comment
Anthony Quinn, CEO of Acumen Cyber, says: โItโs good to see the NCSC tackling this important issue because it is something many organisations struggle with. Too often, security teams bombard boards with technical details that are unnecessary and cause confusion, which hinders comprehensive decision making. The data from NCSC also shows there is confusion over who is responsible for decision making in cyber, which is very concerning. These lines must be clearly defined, otherwise, when a successful attack occurs organisations could waste time mulling over roles and responsibilities, or incorrect decisions could be made which could jeopardise the future of a business.
“Cyber threats may target organisations via technical tools, but their impacts can be business destroying. This means boards must be kept updated on security risks in a language they understand, so they can make informed decisions quickly to safeguard their organisation. When communicating with boards, itโs best for security teams to abandon tech jargon and instead focus on risks. For instance, if we donโt prioritise ransomware defences, it could hamper our ability to operate. Boards understand risks and monetary implications, so itโs best to focus on these.
“Boards must understand key risks so they can prioritise budgets and support the allocation of cyber defences. This doesnโt mean they need to be involved in all cyber conversations, but they should have a top-level overview of threats, regulatory compliance, corporate defences and internal cyber policies. In successful digital businesses, cyber resilience starts at the board so organisations should adopt these recommendations from NCSC as a priority.โ
