Communicating cyber risk to the board

Communicating cyber risk to the board

What is the best way to communicate these risks with the board?

“The true business impact of an risk needs to be understood “

Marc Avery, CISO and founder of the Cyberchain Alliance, talks to Sooraj Shah about  how to ensure business leaders understand the strategic business significance of cyber security.

Marc Avery was a speaker at the very popular R3 cyber security conference, which ran from 15 to 24 September 2020. If you missed it, then it’s not too late: you can still watch on demand.

Video transcript:

What is the best way to communicate these risks with the board?

So risk in any format, be that in business or security, or health and safety, for that matter, everything should always be discussed with the board and presented to them in a format and language that they understand. It has to be relevant to the services that you provide your customers. And when they look into your supply chain, it has to be relevant to some of the services that they provide to you, but also to their other customers, as well.

The true business impact of any risk needs to be understood. And without that, it's very difficult to make decisions. And if decisions are made, they can often be fragmented and spurious. So understanding the true business impact either from a financial perspective, reputational perspective-- all of those things need to be considered before you can actually communicate risks effectively to allow good decisions to be made.

You have to talk positively to the board about risks and explain not the negatives about the damage it could cause, but also the benefits of avoiding the potential impacts, making sure that your name's not dragged through the press as the next big headline, and those kinds of things. So talking positively is something else that's important.

I think that, finally, making sure that risks and risk management generally is agile-- there's nothing worse than discussing the same risk on every monthly risk forum and nothing changes. It becomes boring. It becomes static and stagnant. And therefore, making sure that your risk management process adapts to the change in environment and context of the organisation and the suppliers really helps to ensure that it stays alive.

And again, back to those relationships, impact rarely changes. But actually, the likelihood of risks does change somewhat. So taking into account changes in the environment, changes in economics, politics, anything to do with vulnerabilities, service outages, anything like that can change the likelihood of risk. So bringing that formula supplies up to the board, again, in the language they understand, helps to keep that risk management process healthy.

Copyright Lyonsdown Limited 2021

Top Articles

Clubhouse data leak: Data of 1.3m users dumped on a hacker forum

An SQL database containing records of 1.3 million Clubhouse users has been leaked for free on a popular hacker forum.

Iran terms Israeli cyber attack on nuke facility as "nuclear terrorism"

A rumoured cyber attack carried out by Mossad, Israel's official spy agency, destroyed legacy IR-1 centrifuges at Iran's underground nuclear facility located in Natanz.

The Hunt for Red Insider

The analogy to The Hunt For Red October is not far removed from the common reality of cybersecurity.

Related Articles