Skip to content
TRAC-Logo
 

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Blog_HeaderGradients-09-1
Terry KuxhausJune 25, 20246 min read

Effective Cybersecurity Communications to the Board

Cybersecurity Board Reporting: Effective Communication Strategies | SBS
8:20

Effective communication and information sharing are among the most critical aspects of any information security program. This is especially true for executives and board members, who need to be educated and informed on all aspects of information security to ask better questions and make informed decisions. If the top level of the organization better understands the risks and the impact potential, it will help foster a more robust information security culture throughout the organization.

Before we discuss the types of information and areas of your information security program (ISP) that should be shared upstream, let's discuss a framework to encourage directors and senior management to ask more insightful questions.

BoardReport

 

Understanding What the Board Needs to Know

Determining the correct information to share with the board of directors and senior management often poses a challenge. The top levels of the organization must understand how well the ISP is managed and how it compares to industry peers.

Let's start with what may be considered the top areas: risk assessments, vendor management, emergency preparedness, and compliance/audit.

  • ISP, IT, Business Continuity, and FFIEC Cybersecurity Risk Assessment Results
    The board and senior management need to comprehend the most significant threats (current and emerging), the most critical assets, and those at greatest risk. A detailed plan should outline steps to mitigate risks that exceed the organization's acceptable threshold.
  • Vendor Management
    Highlight the top critical vendors and any flagged on a "watch list." Clarify the measures to mitigate any risks identified during the due diligence process.
  • Emergency Preparedness
    Discuss the organization's readiness to handle crises, such as natural disasters or security breaches. Ensure that business continuity plans and incident response plans are updated and tested. Provide results of recent disaster recovery or tabletop tests and report any security incidents.
  • Compliance/Audit Results
    Clearly explain how well the organization is doing from an information security perspective. Are there critical and high-risk gaps that need to be addressed, and what plan has been established to remediate them? Another important aspect is how we compare to our peers regarding overall security posture. 

 

Reporting Cybersecurity to the Board with Confidence

Remember that the board primarily oversees and manages the organization's high-level activities and strategic initiatives. They don't want to get too "deep into the weeds" with daily operational decisions. However, they need to understand the organization's most significant risks.

The foundation of your ISP is your risk assessments, specifically your IT risk assessment, vendor risk assessment, and business process risk assessment (also known as business impact analysis). However, your directors and senior management may not always know what to look for or what's appropriate for these risk assessments. To empower them, share this simple framework with your top-level folks and have them ask you these questions about your risk assessments: 

  1. What are our most critical resources - IT assets, vendors, business processes, etc.?
  2. Which aspects pose the greatest risk? It could be inherent risk or residual risk.
  3. Have we set goals around acceptable levels of risk for IT assets, vendors, business processes, etc.?
  4. If we have goals, how well are we meeting these goals?
  5. What are our next steps? 

These five simple questions will help them focus on the areas of most concern to the organization, make better decisions, and identify where to allocate their next information security dollar. 

 

Cybersecurity Communication & Reporting Best Practices

The board wants summarized information that is easy to understand and condensed. Keep this in mind when structuring your communications with them. Explain the benefits and value of security investments or the impacts of not investing.

Important aspects to keep in mind when reporting cybersecurity to the board:

  • Avoid technical jargon and acronyms. Speak in easy-to-understand terms while maintaining a professional, business-like manner.
  • Focus on the priorities. What are the most significant and essential items or threats they must know?
  • Justify expenditures on security investments by illustrating the successes of previous investments and reinforcing the need to evolve continually. Compare the amount spent to the amount that could've been lost without the investment.
  • Be prepared for tough questions. How do we compare to our peers? Are there other less expensive options? What compliance/regulatory risk will this address or introduce?

 

Building a Cybersecurity Board Report

Keep cybersecurity reports or packets as streamlined as possible, using charts and graphics to relay information. They don't want to dig through hundreds of pages of data to gather information. 

Key objectives when creating a board report:

  • Cybersecurity board reports should be visually engaging and easy to understand without too much detail.
  • Keep reports brief and use charts, graphs, and heat maps to capture their attention and provide high-level detail.
  • Provide an executive summary with key findings or takeaways.

 

The items below are additional, important information security areas to report upstream but may vary for some organizations:

  • Exam and Audit Findings: Regularly update the board on findings from regulatory examinations, audits, and assessments, highlighting any remediation steps.

  • Training and Testing: Report on security awareness training outcomes and how they compare to industry standards, emphasizing employee and board engagement.

  • Progress on IT Strategic Initiatives: Keep the board informed about the progress of actions outlined in the IT strategic plan.

  • Incidents Affecting the Organization: Ensure the board knows of any recent fraud events, security incidents, and filings of Suspicious Activity Reports (SARs).

  • Policy and Procedure Updates: Discuss any significant changes to ISP-related policies and procedures that require board approval.

  • New Regulations: Update the board on new regulations affecting the organization and the associated impacts.

  • Budget/Staffing Needs: Highlight any needs for additional funding or resources to meet the requirements of the information security program, ensuring these are brought to the board's attention for strategic decisions.

 

Information Security Updates for Board Meetings

It's essential to establish a credible relationship and trust with the board. Ask for a standing "information security" timeslot on every meeting agenda. Knowing how much time you are allowed and structuring your report and discussions around that timeframe is a good idea. Encourage board members to engage and ask questions. The more involved and educated they are, the more likely they are to support proposed initiatives and promote sound cyber security practices and culture throughout the organization. Make yourself available for them to ask questions before or after meetings to build a relationship further. Keeping cyber security at the forefront of the minds of board members will help align information security strategies with business objectives. 

 

Effective communication with the board of directors and senior management regarding cybersecurity is crucial for the success of an organization's information security program. Focusing on priorities, keeping communications easy to understand, and justifying security investment expenditures are essential. Cybersecurity reports should be visually engaging, easy to understand, and provide an executive summary with key findings and takeaways. Provide regular updates on risk assessments, exam/audit findings, training and testing, emergency preparedness, vendor management, incidents affecting the organization, policy and procedure updates, new regulations, and budget/staffing needs to the board. It is essential to prioritize information security from the top down, keeping the board updated and involved in information security matters.

Blog_Lock&Line-Gray

avatar

Terry Kuxhaus

Terry Kuxhaus is an Information Security Consulting Team Lead at SBS CyberSecurity. He is also an instructor for the SBS Institute, leading the Certified Banking Vulnerability Assessor (CBVA) course.

RELATED ARTICLES