Board members say security information is among top concerns
Fewer than 15 percent of board directors across several industries, including healthcare, say they are satisfied with the cybersecurity information they receive from management.
As a response to the results of that survey, from the National Association of Corporate Directors, some basic information can help organization executives to improve board-level communication about cybersecurity issues.
The primer, compiled by the corporate directors association and the National Cyber Security Alliance, offers tips to help directors hold management accountable for performance. Board members should have long lists of questions for CIOs, chief information security officers and other data security professionals about security, the organizations say.
Some of those questions include, what are the most important metrics we use to monitor and evaluate risk to the company? What is the business case for cybersecurity? How can cybersecurity enable other business functions across the enterprise?
“Directors are watching for shifts in the regulatory and economic climate that could impact their companies over the next year,” says Peter Gleason, president and CEO at the National Association of Corporate Directors. “These often interconnected risks lead to increased business uncertainty as management finds their likelihood difficult to anticipate and their impact challenging to mitigate.”
Cybersecurity threats are of great concern, according to 42 percent of survey respondents, outpacing other issues such as business-model disruptions, geopolitical volatility, pace of technology disruption, talent deficits and increased industry consolidation.
With cyber threats looming everywhere, boards have improved their understanding of cyber risks, and they are looking to management to translate technical and tactical details about cybersecurity into business terms, such as risks, opportunities and strategic implications.
Management needs to convey key takeaways with supporting data, because boards are looking for insight on the state of the cybersecurity program and effects on the business. What boards don’t want is a lot of technical detail or operational compliance-oriented metrics.
When preparing board level reports, the National Cyber Security Alliance and the National Association of Corporate Directors offers the following guidelines.
* Make sure data is relevant to the organization’s business context and can be understood by the audience.
* Avoid giving too much information and eliminate technical jargon.
* Minimize text and include graphics and visuals to convey key points.
* Communicate insights into what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.
* Most importantly, reports to the board should enable strategic discussion and dialogue between directors and senior management.