Reporting cyber security to the board? How to get it right

As hackers become more sophisticated and data breaches become more widespread, board members become more involved with cyber security. Just one cyber-attack can have devastating consequences, so their heightened interest is appropriate.

Each year, the Ponemon Institute conducts a study analysing the cost of data breaches. Several hundred organisations in 12 countries participate. Here are some startling figures:

• In 2015, the average cost of a breach was $3.79 million. The following year, that figure swelled to $4 million.
• One lost or stolen record of a sensitive nature incurs a cost of $158.
• The institute estimates that there’s a 26 per cent chance of a breach involving 10,000 or more records taking place within the next 24 months.

The study doesn’t even take into account damaged reputations.

Australia’s new data breach notification laws have made cyber risk management everybody’s responsibility. It’s no wonder that, according to Osterman Research, 89 per cent of board members are heavily involved in decisions about prevention and response.

For these reasons, cyber security board reporting has never been more important. Getting it right the first time is crucial to board members' understanding of their risks and the prevention of costly attacks.

Board Members’ Wish List

Board members require visibility of the company’s current security posture, including potential risks, strategy and road-map to achieve the desired state of security.

They want help interpreting complicated data. The quantitative data about risks should be presented in the context of qualitative information.

They’re interested in learning about the latest cyber threats and recent incidents in their organisation’s sector. They want to compare their security programs with those of their competitors to see how they stack up. They want honest, accurate reporting on vulnerabilities and critical operations that a breach could impact. They love seeing that progress is being made, but they don’t want to be kept in the dark when it isn’t.

They want to be assured that compliance with the law is a priority.

They’re interested in how the cyber security program is structured: Who’s in charge? What’s the chain of communication? How are employees trained and tested?

Not surprisingly, the board also want to know how much it will cost to close the security gaps.

Security executives in about half of the companies surveyed don’t even report on expenditures to address risk, and that’s precisely what board members are most interested in. They crave detailed information on spending, direct costs and budget estimates. How else will they know where and how much to invest?

Cyber security board reporting should educate without overwhelming. It shouldn’t throw an audience into panic mode, but neither should it sugarcoat the facts. It should be clear, current, accurate, and actionable information that enables informed decisions.

Even well-intentioned security officers sometimes leave board members scratching their heads. The Osterman survey revealed that 85 per cent of board members wish that cyber security staff would tone down the technical language. They’re genuinely interested and want to understand, but they’re not cyber experts.

Board members prefer to talk about stock prices and bottom lines than the downtime associated with data breaches, which is one of your favourite topics. That’s the point in your presentation when their eyes start to glaze over. It’s not that they find you boring or don’t like you, but there’s a disconnect somewhere.

Fortunately, there’s a solution that everyone can live with.

Why Your Company Needs an Independent Assessment of its Cyber Strategy

A system in which board members receive their cyber education solely from experts within the same organisation is fundamentally flawed.

Even the most skilled officers have blind spots. Unfortunately, most go undiscovered until an actual cyber-attack. If you’re missing something, board members are missing it too. The checks and balances aren’t in place. Your reporting or board members’ understanding of it may be biased.

This is easily remediated by having your security plan periodically assessed by an independent party.

The most recognised tool in third-party assessment is the cyber security framework provided by the National Institute of Standards and Technology (NIST). The NIST framework is constructed around five basic functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Each function is divided into several categories that address topics such as asset management, cyber awareness training and mitigating losses in the event of a breach. A thorough, real-time report creates urgency and encourages board members to get organised for responding quickly to cyber incidents.

Here are some ways that the framework will improve your reporting:

• It identifies weaknesses in cyber processes, which may lead to security compromises.
• It uses a common language to communicate about internal and external cyber-risks without technical jargons.
• It prioritises vulnerabilities that call for immediate prevention measures.
• It promotes the alignment of business strategies, company policies and cyber risk management.
• It helps in addressing compliance with government regulations.
• It assists organisations in building cyber security programs which is fundamentally demanded by insurance companies for “Cyber Insurance”.

In short, it provides an unbiased, accurate, up-to-date picture of your overall security posture.

Having this wealth of information at your fingertips takes some of the onus of reporting off your shoulders. According to the results, you can confidently plot a cyber security program that forms a baseline for the future.

The assessment will also help you prioritise your investments, based on the business impact caused by cyber disruptions. This will help when you report on what most needs protecting and how much protecting it will cost. Board members will get a better feel for how to prioritise spending.

In addition to helping you protect your company’s assets, a third-party assessment will demonstrate to shareholders and customers that you value their security and privacy. If for that reason alone, independent assessments make good business sense.