Improving communication is the key to solving many business issues – as much as 90% by some estimates – but it is also one of the keys to improving the issue of cyber resiliency. In case you are not familiar with the term, it’s defined as ‘an organization’s ability to transcend (anticipate, withstand, recover from and adapt to) any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating.’ And basically what we are talking about in this article is the communication within a company between its cyber experts, senior leadership and board of directors.
To get a quick understanding of just how important cyber resiliency is, we have to look no further than a statistic from a recent survey: 93% of cyber experts believe global geopolitical instability is moderately or very likely to result in a catastrophic cyber event in the next two years, while only 86% of the business leaders agree with that assessment.
Broken down further, we can see how the difference changes by size of the organization. For example, 25% of leaders in businesses with 251 to 1,000 employees think it is moderately likely that a catastrophic cyber event will happen within two years, while 67% of cyber leaders in businesses of the same size think it is moderately likely one will occur.
Data Source: Global Cybersecurity Outlook 2023
Meetings
How often business leaders, cyber experts and the board of directors meet to discuss cyber issues is important in increasing a businesses’ cyber resiliency. One of the key ways meeting about cyber issues helps with cyber resiliency is if chief information security officers (CISOs) report directly to their CEOs. In some organizations, CISOs report to the chief information officer (CIOs) resulting in the message getting skewed or changed by going through a third party (mainly due to a CIO conflict of interest). Another way to increase the effectiveness of communication in regard to cyber resiliency is to give CISOs the opportunity to meet directly with the board of directors. After their presentation to the board, CISOs are better equipped to answer the cyber-technical questions that a board may ask.
Board of Directors
The same survey noted above also revealed that there is a disconnect in many companies between its board of directors in how cyber risks are communicated to the board and how boards interpret and translate those risks in the context of what is best for the organization.
One interviewee responded saying” Being able to clearly describe the key operational risks and, as part of this, the key cyber-related risks, and then having the link between these risks and the operational or technical controls is important. This allows business leaders to gauge whether they know what their risks are and whether the organization is doing the right thing to protect itself.”
Better Metrics for Better Informed Decisions
One of the best ways many cyber leaders have found to get the message of cyber threat and cyber resiliency across to their board of directors is to frame their message as a “return on investment” as that is a language that most boards understand. Conversations at a board meeting may address the cost to harden a company’s network or the cost to recover from of a cyber-attack, but most boards would get the cyber resiliency message better if it was framed as a return on investment. In other words, what is the ROI if we do X, Y and Z verses not doing them?
The question that cyber leaders have to answer to a board is “How do I know this is a good investment across the myriad of things that I could potentially spend this money on?” To get that message across, the answer is improving the metrics presented to a board to better help them make better-informed financial decisions. Effective metrics are ones where the board can translate the information directly into informed financial decisions that will help improve the bottom-line and keep investors happy.
With the cyber threat increasing each year, and with many experts in the field predicting a catastrophic cyber event within the next two years, now is the time to improve your cyber resiliency communication processes so that when an attack does occur, your business can withstand it with a minimal damage and cost to recover.
