Getting The (Security) Message Across to The Board


In any organization or business, security breaches can occur at any number of points in the operational-cycle, where personal detail or information is shared. There is no denying the fact that, security threats can be posed by cybercriminals, or employees, or even systems. It is hardly a surprise that the majority of breaches are caused by human error.

In the current landscape, all organizations are finding themselves inadvertently linked to each other, as if by default. As users become more used to working in a mobile and virtualized environment, inter-connected entities have become more prevalent. By keeping this perspective in mind, the organizations should be urging their board and stakeholders to consider security as the primal concern facing their businesses, especially in today’s digital market space. We have highlighted the major concerns associated with security, to provide you with a better understanding of what organisations can do to adapt their systems and make them capable of withstanding threats pertaining to security.

Unawareness Among Employers

Presently, people are interested in learning more about risk and security management. However, often there is a misalignment between what the risk managers are trying to convey and what the board needs to know. Risk manager or leaders must provide the relevant content, without over-running it with complex technical references and jargons, that may hamper the message.

Cyber Risk Management- Giving Message Across The Board

Businesses are now adopting certain changes, where they tend to establish a connection between their employees and their suppliers/customers. This allows the barriers among these different environments to become increasingly less potent.

As of now, The World Economic Forum has characterised the Internet of Things (IoT) as a ‘cyber sub-prime bubble’. It probably connects RFID applications, social media, smart devices, cloud, and big data altogether. All of these applications and objects will store data, allowing customers to share their data with a business so that the proposals and offers could be tailored according to the needs of the consumers. In exchange, the customers will ensure that they interact and transact with respective business addresses and understand the issues pertaining to cybersecurity. 

Business advisory bodies, government departments, and regulators acknowledge that businesses require guidance on what qualifies as the best practices concerning cybersecurity. To help the business community, material support would be provided from several sources including the Department for Business Innovation and Skills. It will include all basic risk assessment for the CEO and the members of the company to evaluate and come to a consensus on some major concerns surrounding the implementation, planning, and reviewing of cyber risk. Moreover, detailed advice should be made available on employee policies, technology, and processes.

How to Inform Board About Security?

Considering the current dynamic environment of cyber risk, organizations must enhance and upgrade their approach towards cybersecurity, and the same is true for the members as well. Here are some of the key aspects of security, that enterprises must keep their board well-informed on. 

Establish a Formulated Security Governance Role

The board should have complete knowledge of all the cyber operations that the business partakes in. This awareness will help the board to contextualize the role of cybersecurity in their overall decision-making process. The board must involve themselves in assessing the major strategies that the organization is planning to mitigate those risks. Moreover, they should inquire about the plans and analyze them to evaluate the right response to a cyber incident. It will thus empower the board to make decisions on risk mitigation and take a step forward to entrust senior management with the implementation of the strategy.

Expansion of Board Level Cyber Expertise

Initiating a regular cyber curriculum for board members will help create a board-level of expertise, that would further enable the management to target their presentations in a more specific and efficient direction. Apart from that, the organization should also involve cyber experts including independent auditors, consultants, and other industry experts, into the management board relationship to legitimize the existing cybersecurity state of the enterprise. This would be highly beneficial in developing board-level expertise.

Regulating Cyber Governance Against Corporate Business Structures Rather Than Eliminating It

Boards should have a dynamic and holistic approach to security responsibilities in order to aid the organization in executing its mission. Several unified presentations between CFO and CISO would present the boards with an integrated picture of the organization’s operations and security in the overall context of the business. It will also assure that the complete team of senior members is well-informed about all the cybersecurity initiatives and is proficient in answering any and all questions from the board about how those initiatives will influence the business strategies.

Regularly Analysing Security Measures for Applicability and Overall Impact

Just like no security measures are free of cost, several security measures may have some unintended consequences. There are times when security measures can influence the operations at a certain rate, during which employees are vulnerable to involuntarily create risks. For example, if the badging process or key control is a long and painful one, then unexpected side-effects could lead to the sharing of badges by employees. It would completely abolish the company’s exclusive access to control systems.

The company’s network follows the same technique. If getting system access is a troublesome process, then employees will search a way to be productive by sharing passwords or personal emails which is not a good indication. If these actions are prevalent in your organization, then don’t be quick to blame your employees, rather look at your company’s operations and processes and determine whether or not your support employees are serving the clients appropriately.

Employ The Right Metrics

When it comes to cybersecurity, there is a major focus on its technical metrics like failed logins, transaction counts, blocked traffic, etc. Many of such metrics are not aligned with the company’s objective. Therefore, it is required that these metrics are secured efficiently with the company while ongoing efforts should exhibit security effectiveness associated with the company.

Getting Everyone Involved

Protection against cyberattacks should always be handled in an integrated manner. The issues that an organization faces while managing the problems of security and compliance does not lie on the shoulders of one department or employee.

It is always a company-wide effort, where employees play a key role. At the time of communicating this to the board, ensure that stakeholders from the company’s risk, legal, and PR departments understand their roles and can execute their part successfully to prevent any breach and mitigate the losses whenever a breach is encountered.


Effective cybersecurity awareness and training of the employees are key to running a successful digital business. Develop a strong plan and include the formation of a Cyber Resilience Team. The team of experts will thoroughly investigate each incident and make sure that all relevant members communicate efficiently. Following these standards across the board will allow you to reap immense benefits in the long run.

Download our Risk Management as a Service white Paper

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.