When it comes to communicating cybersecurity risks to boards and executive leadership teams, IT professionals need to learn a whole new type of programming language.<\/p>\n\n\n\n
As businesses rapidly digitise virtually every aspect of their operations, the potential fallout of data breaches and ransomware attacks has exponentially increased. But while everyone now understands that cybersecurity is important (at least in theory), not everyone at the top of the org chart is particularly tech-savvy.<\/p>\n\n\n\n
A recent Accenture study<\/a>, for instance, analysed almost 2,000 directors at more than 100 large banks and found that only 10 per cent of board directors and 10 per cent of chief executive officers on boards had any IT experience, and a third of the world\u2019s biggest banks still have absolutely no board members with professional technology experience.<\/p>\n\n\n\n Jamie Wilson, Executive Chairman and Founder of Cryptoloc, says he sees far too many leadership teams taking a laissez-faire approach to cybersecurity, particularly as businesses migrate to the cloud.<\/p>\n\n\n\n \u201cWhen you push your operations to the cloud, you\u2019re using third-party providers, and that opens you up to a whole lot of vulnerabilities,\u201d he says. \u201cWhat I often see is that people don\u2019t take enough time to investigate those third-party solutions \u2013 they just trust that their cloud provider is secure, and they\u2019re actually not.\u201d<\/p>\n\n\n\n Establishing a common language with high-level execs to educate and advise them about cyber risks can be a significant challenge, but it\u2019s often the only way to get the resources you need \u2013 so here are a few ways to get the board on board with cybersecurity.<\/p>\n\n\n\n The technical jargon that tends to be beloved by IT departments can make it difficult for organisations to have the necessary conversations about cybersecurity.<\/p>\n\n\n\n To avoid falling down a rabbithole of detailed technical explanations and giving yourself a front-row seat to a room full of executives with their eyes glazed over, outline cybersecurity risks in terms of the damage a cyber attack could do to the smooth operation of the business, not to systems that nobody outside the IT department is likely to have a grasp of.<\/p>\n\n\n\n \u201cYou\u2019ve got to remember that these are not necessarily technical people,\u201d Jamie says. \u201cYou have to be able to explain the problem to your grandmother, and put it in terms that she\u2019ll understand.\u201d<\/p>\n\n\n\n When explaining the importance of encryption and the risks posed by social engineering scams like phishing, for instance, Jamie says he likes to \u201cpaint a picture of a house\u201d.<\/p>\n\n\n\n \u201cWhat does the perfect home security system look like? You\u2019ve got CCTV cameras, you\u2019ve got bars and security screens on the windows, you\u2019ve got double deadlocks on the door, you\u2019ve got a massive fence and you\u2019ve got a couple of vicious dogs. Those are your perimeter controls.<\/p>\n\n\n\n \u201cBut the weakest link in that security system is the person who\u2019s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it\u2019s the same with an employee who opens a phishing email, or connects to the wrong IoT device \u2013 before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can\u2019t protect you.<\/p>\n\n\n\n \u201cIn that situation, you have to rely on your internal controls, which include encrypting and backing up your data so you don\u2019t lose any sensitive information in the event of an attack.\u201d<\/p>\n\n\n\n Your typical board member might not be able to configure a firewall, but they do understand their fiduciary responsibilities and the ever-present language of risk management.<\/p>\n\n\n\n To capture their attention, focus on actual risks to business operations, the likelihood and repercussions of those risks, and the cost of mitigating those risks compared to the cost of doing nothing.<\/p>\n\n\n\n You could enlist the help of a risk management professional who\u2019s well-versed in couching risks in those terms for executives, but if that\u2019s not possible, make sure you clearly prioritise the risks for the board, instead of presenting them with an amorphous jumble of possible scenarios.<\/p>\n\n\n\nDon\u2019t bury your message in technical jargon<\/h3>\n\n\n\n
Use the language of risk management<\/h3>\n\n\n\n