Overcoming Challenges When Communicating Information Security Risk to the Board of Directors

Overcoming Challenges When Communicating Information Security Risk to the Board of Directors

While the Chief Information Security Officer (CISO) and Chief Information Officer (CIO) at your company are primarily responsible for ensuring the organization’s systems and safeguards are designed to protect sensitive business, employee and customer data, that responsibility isn’t theirs alone. Attacks and breach attempts are on the rise. In order to fulfill their oversight responsibilities, your company’s senior leaders and its board of directors need to understand the information security risks the business faces.

Board members come from all walks of life. They may have a vague understanding of information security risks, or may have in-depth knowledge and experience in the area. Regardless of their background, though, it is important that the board and C-suite executives grasp the potential risks your company faces, and understand what will be necessary to address those risks and shore up potential vulnerabilities.

However, communicating technical information effectively to a non-technical audience poses challenges and potential obstacles for CISOs and CIOs. Understanding where board members are coming from can be helpful as you tailor your communications.

Resist Owning All of the Risk or Communicating that Security has Been Achieved

When talking to the board, it’s natural to want to position your company’s information security efforts positively. However, resist the urge to imply that the CIO or CISO owns all of the risk. In reality, the board and your company’s executives have ultimate responsibility for information security efforts. The CIO’s and CISO’s roles are to communicate that risk, ensuring risk decisions are owned at the executive level.

Information security is a continuous balance of financial investment and risk management. The appetite for risk, and the appetite to spend money to resolve that risk, are related. Never communicate “we’re secure.” Instead, communicate that “the risks we have chosen to address have been mitigated,” then report on them through regular assessment and testing.

Communicate Based on Business Outcomes

One of the biggest challenges CISOs face is trying to extrapolate, translate and condense data into actionable insights the board can evaluate and make informed decisions about.

Working with a technology services provider like Intrinium Information Technology Solutions can help you identify, quantify and prioritize risks identifying in financial terms how the organization could be impacted by a breach. You can then use this information to drive results-focused presentations and reports to the company’s board of directors, helping facilitate strategic business decisions.

Understand that Board Members are Concerned about Regulatory and Financial Risk

Increasingly, board members of all types of companies are concerned about both potential regulatory fines and possible shareholder or customer lawsuits. Enterprise risk oversight has been added to most boards’ radar screens after statements by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) making it clear that enforcement actions are a very real possibility for businesses that don’t take appropriate action to protect information.

Expect your board members to ask for scorecards and other measurements demonstrating how effective your information security policies and safeguards have been. Boards are becoming increasingly conscious of the fact that information security risk is real, and will want more than just pat quarterly updates about your company’s information security initiatives and incident reports. Be prepared to answer their questions.

Adopt a Risk-Based, Financially-Driven Approach to Communicating with the Board

Of course, you want the board of directors to approve funding requests or strategic recommendations designed to improve your organization’s information security program. However, approaching those types of matters by drawing on board members’ fear or uncertainty isn’t the best way to go.

When sharing reports with, or making presentations to, your board of directors, use non-technical jargon, and share results-oriented information that will ultimately help them make decisions.

At Intrinium Information Technology Solutions, we provide a wide range of IT services and support for businesses large and small, across several industries including financial services, health care, social services and retail.

For more best practices about communicating your information security initiatives and to learn more about how we can help your company, contact us online or call us at 866-461-5099 today.

Pin It on Pinterest

Share This