With board members increasingly being held liable for security breaches under APRA, their interest in cybersecurity is, understandably, growing.
As the CIO, you represent the conduit through which most board members receive insights into their organisations’ cyber resilience. Yet, despite the potential weight of this responsibility, there is a right way and a wrong way to report on cybersecurity and related topics to your board.
Understanding what board members need to hear from you to make risk-aware decisions can help you to more effectively protect your company.
Apart from their growing responsibility for cyberattacks and data breaches, many board members aren’t educated on cybersecurity—let alone on the implications of their actions (or inactions). Educating the board and the rest of the C-level suite on cybersecurity best practices is one of the key responsibilities of the CIO—and the Essential Eight (E8) framework represents a good place to start.
E8 is a series of eight cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to harden systems and make them less vulnerable to attack. Not only is the framework generally easy to understand, but it’s also easy to measure organisational compliance against using E8 assessments.
That said, while educating board members on the E8 framework increases their cybersecurity fluency, it’s important to note that—much like the ‘Pirate Code’ in the Pirates of the Caribbean movies—it’s really more of a set of guidelines than it is a true code. With the exception of government non-corporate entities, E8 compliance isn’t mandated for organisations, but still provides a useful measure of maturity and a good baseline for cybersecurity conversations.
Now, before we cover what should be in your board report, let’s rule out a few items that should not be included.
For example, you can leave off excessive operational detail. While data points like the number of service desk calls your department resolved should be reported at an IT level, this information holds limited value for board members.
Similarly, you should try to avoid what Head of Governance and Compliance at Canon Business Services ANZ (CBS), Peter Kenny calls the firehose of vulnerabilities—that is, presenting board members with a list of every single risk factor you’ve identified.
“You're sitting there as a board, and you see this table of vulnerabilities. What does that mean to you as a board member? It means nothing; it's just white noise,” he explains. “How can you, as a board member, make some sort of informed decision on either the approach or accepting the risk and letting that vulnerability run? It is counterproductive in the extreme, and it actually poses a real risk to the enterprise going forward.”
Context is important as well. Kenny recalls an instance where he reviewed a CIO’s board report that included a table listing 15 vulnerabilities—eight of which had been remediated that month. “That’s good, but of the seven you haven’t remediated, how critical are they? That’s the type of insight that a CIO needs to assist the board in establishing,” he says.
Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.Download
So what should you include instead? While there’s no simple formula for what should go into a board report on cybersecurity, there are a few guidelines you’ll want to keep in mind.
Are you reporting to the board directly, or are you reporting to a cybersecurity committee on the board? While having a cybersecurity committee—especially one linked to an audit committee—is ideal, knowing to whom you’re reporting should inform your understanding of their cybersecurity knowledge (and, consequently, what your report should include).
If a cybersecurity committee exists, they’ll likely take inputs from audits and the business, review these findings, and then present their insights in a high-level, risk-managed statement back to the board. Board members would then be empowered to assimilate the committee’s recommendations, make decisions, and then provide guidance regarding the actions that are in the best interest of their shareholders.
However, although cybersecurity committees are gaining momentum, they aren’t yet the norm. Where they don’t yet exist, your reporting will likely go directly to the board and should take their level of expertise into account.
Those sitting on a board—whether they’re part of a cybersecurity committee or not—really need to see high-level, key information such as trendings, costings, and risk statements in order to make informed decisions.
As an example, Kenny shares, “You might present something like, ‘Over time, the trends are X. What this means is that either a) resourcing needs to be adjusted, or b) processes, tools, and even automation may need to be introduced to take care of these emerging trends. Failure to do so will result in X’.” Doing so provides board members with both the detail and context they need to act strategically in the organisation’s best interest.
If you’re struggling to translate technical information into the ‘business speak’ boards require, look to others on your team for assistance.
Generally speaking, CIOs shouldn’t be operating in isolation. Instead, there needs to be an ongoing dialogue amongst all members of the C-level leadership team to align on business priorities, as well as an understanding of how tools and technology support them in a secure manner.
Ultimately, communication between the CIO and board (or its cybersecurity committee) needs to be a two-way street.
“It really needs to be a partnership type of arrangement,” Kenny concludes. “If the board is not getting enough information or not getting the right type of information, then they have the absolute right to feedback down to the CIO. The CIO, by the same token also has the absolute right to question the board and to say, ‘Is this what you're looking for? Is this appropriate, is it pitched at the right level, and do you have enough information to make risk-aware decisions?’”
Partners like CBS can also help facilitate cybersecurity communications through tools like Essential 8 assessments and the creation of custom dashboards that can surface the high-level information boards are looking for.
For more information—or for customised guidance based on your board’s unique needs—reach out to the expert team at CBS for a personalised consultation.