Risk indices show that over the past 5 years, managing cyber threats has moved from a number 20 priority to a top three risk. This means one of the most vital issues today is to ensure boards understand and endorse the right measures to combat cyber threats.
The good news is that C-level executives and the board are far more informed about cyber security than ever before. Boards are demanding more from management in terms of information about threats and seeking a real understanding of to how to deal with them. The days are long gone when IT professionals struggled to be heard at the board level.
Nonetheless, all large, complex organisations face continuously changing business dynamics, a drive towards greater innovation and the pressure to do more with less. Using the right form of communication therefore remains critical if IT and information security leaders are to engage with the board and management in a meaningful way. It is all about having the increasingly sophisticated conversations necessary to be able to move forward.
"Risk indices show that over the past 5 years, managing cyber threats has moved from a number 20 priority to a top three priority."
Partner, Technology Risk
Then again, with so much fear, uncertainty and doubt (the FUD factor) around, keeping the board engaged in positive discussion is also important, particularly when the talk turns technical.
A good way to communicate is to summarise the issues and solutions in a way that is real and personal to the board members. It is about learning to use less technical language and to make the discussion more relevant to the language of the board.
At the same time, IT and information security leaders need to keep the commercial imperative front and centre. It is essential they agree with the board about the business risk appetite and how information security will be managed.
While engaging the board is critical, it is equally important to ensure the cyber story is heard and understood throughout the organisation. Full organisational awareness is a key requirement to fighting cyber threats. There is no single method for this however. Rather it is a matter of understanding how to tailor the message to a particular audience. Ensuring content is appropriate and choosing the right timing are chief considerations.
Some organisations have dedicated awareness teams that work with external and internal communications and media teams to educate internal stakeholders and consumers. These can include multiple customer awareness and internal engagement programs using many different channels.
Making sure IT delivers without putting the organisation’s reputation at risk is also a major priority for complex organisations and requires a dynamic approach. A business has to ensure it has the appropriate layers of security every time it interacts with a customer. At the same time it must also remain relevant.
Knowing your customers and maintaining their trust is also a key consideration for information security. Knowing why customers trust your brand and investing in the maintenance of that trust is a large part of this.