Communicating cyber risk to the board

What is the best way to communicate these risks with the board?

“The true business impact of an risk needs to be understood “

Marc Avery, CISO and founder of the Cyberchain Alliance, talks to Sooraj Shah about  how to ensure business leaders understand the strategic business significance of cyber security.

Marc Avery was a speaker at the very popular R3 cyber security conference, which ran from 15 to 24 September 2020. If you missed it, then it’s not too late: you can still watch on demand.

Video transcript:

What is the best way to communicate these risks with the board?

So risk in any format, be that in business or security, or health and safety, for that matter, everything should always be discussed with the board and presented to them in a format and language that they understand. It has to be relevant to the services that you provide your customers. And when they look into your supply chain, it has to be relevant to some of the services that they provide to you, but also to their other customers, as well.

The true business impact of any risk needs to be understood. And without that, it’s very difficult to make decisions. And if decisions are made, they can often be fragmented and spurious. So understanding the true business impact either from a financial perspective, reputational perspective– all of those things need to be considered before you can actually communicate risks effectively to allow good decisions to be made.

You have to talk positively to the board about risks and explain not the negatives about the damage it could cause, but also the benefits of avoiding the potential impacts, making sure that your name’s not dragged through the press as the next big headline, and those kinds of things. So talking positively is something else that’s important.

I think that, finally, making sure that risks and risk management generally is agile– there’s nothing worse than discussing the same risk on every monthly risk forum and nothing changes. It becomes boring. It becomes static and stagnant. And therefore, making sure that your risk management process adapts to the change in environment and context of the organisation and the suppliers really helps to ensure that it stays alive.

And again, back to those relationships, impact rarely changes. But actually, the likelihood of risks does change somewhat. So taking into account changes in the environment, changes in economics, politics, anything to do with vulnerabilities, service outages, anything like that can change the likelihood of risk. So bringing that formula supplies up to the board, again, in the language they understand, helps to keep that risk management process healthy.

Copyright Lyonsdown Limited 2021

Top Articles

Amazon fined a staggering £636 million in Europe for GDPR violations

Luxembourg’s National Commission for Data Protection (CNPD) has imposed an unprecedented fine of €746 million (£636 million) on Amazon for GDPR violations.

SysAdmin Day 2021: Paying thanks to the unsung IT heroes

Today is SysAdmin Day when we should pay tribute to the system administrators working around the clock to keep business running smoothly

Former First Sea Lord says Royal Navy ships are vulnerable to hackers

A former First Sea Lord has warned that Royal Navy ships and Britain's merchant fleet could become sitting ducks for hackers if adversaries find ways to knock out satellite communications.

Related Articles

[s2Member-Login login_redirect=”” /]