Communicating cyber risk to the board

What is the best way to communicate these risks with the board?

“The true business impact of an risk needs to be understood “

Marc Avery, CISO and founder of the Cyberchain Alliance, talks to Sooraj Shah about  how to ensure business leaders understand the strategic business significance of cyber security.

Marc Avery was a speaker at the very popular R3 cyber security conference, which ran from 15 to 24 September 2020. If you missed it, then it’s not too late: you can still watch on demand.

Video transcript:

What is the best way to communicate these risks with the board?

So risk in any format, be that in business or security, or health and safety, for that matter, everything should always be discussed with the board and presented to them in a format and language that they understand. It has to be relevant to the services that you provide your customers. And when they look into your supply chain, it has to be relevant to some of the services that they provide to you, but also to their other customers, as well.

The true business impact of any risk needs to be understood. And without that, it’s very difficult to make decisions. And if decisions are made, they can often be fragmented and spurious. So understanding the true business impact either from a financial perspective, reputational perspective– all of those things need to be considered before you can actually communicate risks effectively to allow good decisions to be made.

You have to talk positively to the board about risks and explain not the negatives about the damage it could cause, but also the benefits of avoiding the potential impacts, making sure that your name’s not dragged through the press as the next big headline, and those kinds of things. So talking positively is something else that’s important.

I think that, finally, making sure that risks and risk management generally is agile– there’s nothing worse than discussing the same risk on every monthly risk forum and nothing changes. It becomes boring. It becomes static and stagnant. And therefore, making sure that your risk management process adapts to the change in environment and context of the organisation and the suppliers really helps to ensure that it stays alive.

And again, back to those relationships, impact rarely changes. But actually, the likelihood of risks does change somewhat. So taking into account changes in the environment, changes in economics, politics, anything to do with vulnerabilities, service outages, anything like that can change the likelihood of risk. So bringing that formula supplies up to the board, again, in the language they understand, helps to keep that risk management process healthy.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]