IT Security Frameworks and Standards

How to Effectively Communicate Cyber Threat Priority to the C-Level and Board of Directors

Cyber threats against organizations are constantly evolving. The first step in protecting the organization is clear: everyone - from the cyber analyst to the board of directors - must be aware that threats exist with real potential for harming the business. While the security analyst team is involved with threat review and prevention on a daily basis, the executive group or board is far removed from updates on daily risks that are seen as purely the domain of security analysts or IT. The question is: how can the security team present the importance of cyber risks to executive audiences so they not only understand the current situation, but also actively support investments towards prevention? Without senior buy-in, it is difficult to ensure that a comprehensive risk mitigation program is put in place.

When presenting security risks to an executive or board audience, it is important to use a consistent model or framework. Cyber attacks, and advanced persistent threats (APTs) in particular, are business risks, not just an IT risk. The majority of executive groups or boards are not made up of security experts, so it's important to frame the problem in terms of business risk stories - not technical threats that are unlikely to resonate with them. For example, a major business risk might be that information is stolen in a covert manner and used to negatively affect a major corporate acquisition that the company is pursuing. In this case, the cyber-attack was just the vehicle through which the risk was realized, so it's best to focus on the actual risk and its implications, rather than the technical background behind it, to create a story that resonates.

Another important decision-making factor for executives and the board is how ROI of a security investment will be measured. Explaining ROI in terms of impact on the business is necessary to achieve buy-in for this critical investment. This creates a bridge between the business and technical team in the security operations center and gives them a common language and understanding. By focusing on the ability of security analysts using advanced technology to detect threats in mere hours, rather than days, and measuring this against the company's previous monitoring, detection and response capabilities, the ROI will be made clear, as will the direct correlation between IT investment and business risk reduction.

The attack landscape is in constant flux, but this does not mean that boards and executives should delay making security investments. Today's threats can cause long-lasting damage, and it's the role of the security team to impress this upon the decision-makers in terms they can relate to. Doing this will pave the way for implementing  solutions that combat the threats as they exist today, but also allow updates as new threats come to light.


Nik Whitfield is Director of Cyber Security at BAE Systems Detica


« Is Today's Data Scientist 1995's Webmaster?


Tech in Cuba: Ready To Go Super-Nova? »
Nik Whitfield

Nik Whitfield is Director of Cyber Security at BAE Systems Detica

  • Mail


Do you think your smartphone is making you a workaholic?