How to communicate risk to the board: the ‘Goldilocks’ approach

Boards care about risk – while boards are getting more IT-savvy members to cope with the challenges and changes that are taking place around their businesses, they really care about risk. Boards and executives are now approaching cybersecurity as a business risk rather than what it has historically been - a technology problem.

People having a meeting in executive conference room with cityscape as the background

Companies today rely heavily on their technology implementations and infrastructure to do business and maintain continuity. It is behind everything - powering the communication and collaboration tools that we use every day and keeping the business operating and cash flowing.

And with the added realisation that implementing the right technology can be a massive competitive advantage, boards have evolved to become increasingly technology-savvy.

The proliferation of technology and IT tools in enterprise environments and the acceleration of businesses moving to the cloud, is all happening in tandem with an increase in security risks. Organisations are facing catastrophic breaches, internet-shaking vulnerabilities, nation-state backed attacks and a rise in ransomware (Verizon’s DBIR 2022 reporting 13% YoY increase – a rise as big as the last five years combined). As a result, attention to cyber resiliency is front and centre - with a reported 40% of boards having dedicated cybersecurity functions by 2025, compared to less than 10% in 2021.

With the mission of increasing cyber resiliency, boards and executives are now approaching cybersecurity as a business risk rather than what it has historically been - a technology problem. Gartner predicts that 88% of boards are attempting to shift their companies to adopt this business risk mindset.

Building for the Board

Risk is not binary. In IT, it is easier to point at technology problems and say whether they have been fixed or not. Now, boards want information and context on longer term approaches and potential issues that may result, rather than siloed information on a singular issue. To communicate effectively on risk, you must understand how the board thinks about impact, probabilities and areas like compliance.

For example, one company - insurance provider Aflac - wanted to improve its approach around scanning and remediation. It saw the number of problems detected go up from around 42,000 critical and severe vulnerabilities to more than 185,000 vulnerabilities overnight. This increase could make it look like the team was having problems, or that they were missing issues.

Instead, the team communicated with the board on the overall impact that this new visibility had for them, and how it translated into better risk management, not less.

The team at Aflac used its insight to inform the board of what was going on, and then prioritise efforts on those critical and high severity problems. This led to the number of issues getting cut from 185,000 to around 55,000 vulnerabilities. More importantly, appealing to the risk management approach meant that they got more backing to deal with problems quickly. When an issue came up in Microsoft Exchange that represented a critical Remote Code Execution threat, the team was able to implement the update in 24 hours. By getting board understanding and support, the overall security posture improved.

It’s important to understand that “risk” is not a ‘one size fits all’ proposition. Each industry will have its own set of compliance and regulation requirements, while every business within those industries will have their own unique environments to manage. The issues that affect your environment may be drastically different than your peers within the same industry. As a result, every board will have their own measures for what success looks like. Understanding this is critical if you want to achieve your goals.

Risk management needs to be a holistic process that looks at the entire business. Rather than homing in on specific technical aspects, boards have to consider how technology fits into the flow of the business - even looking at macro-economic factors like inflation and market demand. To communicate effectively around IT risks, think about the level of impact that problems may have over time, and then put them in the right context. Leaning too far into the technical details may result in a lack of understanding, however keeping your communication too high-level may not fully underscore and emphasise the level of risk a specific issue presents.

Preparing your information and your delivery

Presenting information to the board is a critical skill. Boards have to consider the level of risk that the business is comfortable with - this includes everything from investments in new markets to building the right security framework.

So what is the best way to deliver information to the board? How can you be sure to deliver the right information when called upon?

To make the most of your opportunity, consider how you can get into the ‘Goldilocks zone,’ where information is not too simple or too complex. Boards are typically made up of experts that are used to processing financial data, reading balance sheets and understanding them in context. Using this same model for risk could prove beneficial. Preparing a ‘cyber balance sheet’ as part of your presentation or alongside your dashboard can help them understand the value that security provides.

If the board does want to dive into more detail or understand more about the return on investment from the IT security budget, then you should be prepared to offer this insight. Questions may arise due to media coverage of the latest malware attacks, so you should be ready to detail how your approach manages the issues. However, it should be something that you can go into when asked, rather than front-loading your presentations with too much information.

One of the biggest tasks that these board presentations have the potential to support is budget. Cybersecurity has typically received additional funding for its efforts to keep pace with threats and new requirements, but it is never a guarantee. It is essential - now more than ever with the increasing threat landscape - to lay out the current baseline for risk, why this situation has to be improved, and where any activities would be focused.

Board support for a secure future

It is no secret that digital transformation is drastically accelerating causing large scale changes in business processes, go-to-market models and new services launched. Getting board support to make any process change ‘secure by design’ should reduce the long-term cost and risk, as well as supporting those business goals.

A program like vulnerability management will normally be focused on finding and fixing issues - it is an example of a technical project that the board would not consider. However, the data can be used to demonstrate how effectively the security function works and how that translates into reduced business risk.

By providing more insight - and by putting it in the right context of risk - you can make IT security more effective for the business and get the support you need. By translating effectively between the business and IT, you can ensure that your requirements are met. And by preparing effectively, you can build up a more long-term approach to security and risk management.

Paul Baird is Chief Technical Security Officer UK at Qualys, where he leads work with enterprise customers around implementing security best practices around vulnerability management and cloud security. He is a Fellow of the Chartered Institute of Information Security (CIISEC) based on his contributions to the UK security industry. Prior to joining Qualys, Baird led global security operations for FTSE 250 companies and implemented a global cyber security operation for Jaguar Land Rover.