Previous posts have discussed how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. They’ve also explored how a GRC software platform can help gather, organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. Now, in this last post of the series, I’ll offer some suggestions on the specifics of that content that you can explore, and perhaps repurpose, for your own board’s benefit in the future.
Cyber Risk and Security Are Part of Business Operations
When planning a Board-level report, keep in mind you are reporting on an operating aspect of your business. So, business fundamentals must provide the context to reporting activity. You must demonstrate how the cyber risk program aligns with overall business strategy. This should include how current cyber risk policy supports business goals. It’s not about the state of the cyber risk program in a vacuum. It must be about how well that program is working, its effectiveness, and its opportunities. There’s a tendency to measure against maturity. While that may be a contributing factor and important to managing the program, your Board expects that from its operating leadership. It is concerned with results.
More Is Not Better
I’ve seen Cyber Risk and Security “briefings” that literally presented hundreds of metrics over nearly 90 PowerPoint slides. This is not effective reporting. If you measure and track everything and dump that pile into a mass of output your Board will correctly presume you do not understand the key drivers of your efforts, and dismiss the lot. Having a few important metrics and offering context to represent how they contribute to supporting the business’ success will help the Board understand what’s been accomplished. It will also help explain where opportunities lie by offering what a target result might be. For example, year-to-date there may have been 11 assessments completed across business operations. Those may have demonstrated that 231 of 260 controls (89%) are in force and effective. That’s a simple statement of fact. The distribution of the remaining 11% of controls found wanting might indicate weakness in authentication management. And you can offer detail on how you plan to address this through staff training, procedural changes, or other methods. Since many well publicized cyber events of the past year have their roots in this area, the Board will understand and pay attention to your findings, and your recommendations for improving performance in this area.
Note: When presenting, try to keep data per display to a minimum. Participants can read or they can listen, but numerous studies suggest they in fact do not do both well at once.¹ It’s a good idea to present key concepts with simple images and deliver supporting context verbally.
What Else Might The Board Want To Know?
Think about Governance. Answer the question of how the Board can know how well the company’s cyber risk program is working; how it’s mitigating risks threatening achievement of goals and success. Here are some categories to consider in shaping your answer to that over-arching question:
- Management of vendors, partners and third-party service providers
- Regulatory Compliance
- Budget performance and resource requirements; staff and capital
- Incident Tracking
- Monitoring Findings
- Training and Education
Let’s look at each one in a bit more detail.
Management of vendors, partners and third-party service providers
If your partners, vendors and service providers don’t measure up to your level of cyber risk management, they in fact diminish your internal state. This is another way of stating you are no stronger than your weakest link. Note the results of assessments of these participants in your business. Are they in compliance with contractual obligations? Comment on policy, process, or corrective actions being implemented to assure their efforts do not create unaddressed vulnerabilities into your operation.
Regulators form a mixed lot, including state and federal agencies, third party payment processors, health and safety boards, law enforcement, and others, depending upon the business of your company. Regardless of their nature they all represent similar challenges; standards of performance or operation which, if not met, can lead to financial loss through fines or penalties, in addition to service disruptions which could impact revenue, reputation, and growth. Regulatory controls meant to address cyber threats are therefore quite important to managing overall risk. Because non-compliance could impact reputation, operations, earnings and revenue, a cyber risk’s governance in this area will gather Board attention. These represent some “musts”, and demonstrating an understanding of potential risks, threats, and mitigations will be key. To simplify matters, reporting might best focus on overall success, while pointing out any outstanding challenges and recommendations to address them. This keeps the message here in the form of “across the scope all is operating well, except for these few items, and here’s what we recommend to address them”.
Budget performance and resource requirements; staff and capital
No risk discussion, cyber or otherwise, will avoid inclusion of a review of the program’s cost, resource consumption, and recommendations for the coming quarters. This need not and should not be a full bloom budget review. Save that for whatever regular operating reviews are normally conducted. For the Board this is a summary statement: “Our budget of $nn allows us to manage cyber risk to company assets, operations, and reputation valued far in excess of our expenditures. We continually review program costs and risk strategies to assure we are not recommending actions disproportionate to the risks to assets, operation, revenue or reputation”. You can demonstrate this by reviewing costs to monitor threats, address incidents and mitigate risks in comparison to estimates of exposure were these actions not taken. It’s important to assure there are no $10,000 risks being addressed by $100,000 programs.
What incidents have happened? How quickly and effectively were they detected? Halted? How was recovery conducted, losses estimated, and remediation initiated? Were they of small scale or significant? Do they point to larger, yet unrealized vulnerabilities that bear immediate attention? Are there patterns and frequencies within incident statistics that can point to vulnerabilities requiring changes to policy or operating practices? What recommendations does the cyber risk team have to minimize and mitigate significant incidents?
Define incidents and categorize them so your Board can see the true extent of incident experience. If you have 20 in a reporting period, but only 1 or 2 were of any significance (say resulting is losses over $n or requiring disclosure to over nnn,nnn clients or customers) you might be reporting 2 this period, up 1 over last, and flat to YTD the prior year. That is a very different, and more focused message than “20 incidents this period”. Again, keeping data relevant to the business context of significance and using numbers to focus and offer context are vital to managing the Board report and the resulting conversations.
This is a trap for many dedicated IT folk who double in cyber risk. There’s a tendency to monitor “everything” and then to demonstrate that proudly by reporting “everything”. Your Board of Directors will glaze over as if struck by an ice storm, or a vision of Medusa. Mention your comprehensive capabilities, but pick your two or three (at most) significant changes in volume, direction, or trend over the reporting period. Present those numbers, but leave any explanatory context to your discussion. Keep reported metrics to a bare minimum, but have backup details at hand should discussion raise an opportunity to share them in support of your comments.
Training and Education
If there is one “lever” that can have a profound impact upon restricting cyber risk across your enterprise, it’s training and education. So often well-formed controls, policies and practices are not followed due to ignorance or apparent indifference. This behavior fosters vulnerabilities to threats that should otherwise be well controlled. The “human element” of staff behavior has been found at the root of many well publicized and significant breaches over the recent past; access credentials compromised due to successful phishing exploits have been among the most common noted, but weak governance over third party service providers have also created vulnerabilities otherwise not part of operating infrastructure.
Reporting on training should include metrics on frequency of retraining, volumes in terms of staff percentages, including efforts to test behavior through false phishing attempts to see how many staff have learned to identify and report attempts and how often they succeed. This helps measure training effectiveness. It can also point to operating areas where retraining might strengthen controls in place related to compliance.
Reviewing the Threat Topology
Boards of Directors may or may not be astutely aware of all the technology a company employs. Today, it’s becoming commonplace to work from home, use personal technology, or sometimes use company issued technology for more than business. There are many “smart” devices at play. Cell phones, which are really portable computing platforms of considerable power, are often missed when applying stringent usage controls. So are tablets, smart watches and other mobile devices. We tend to miss the other devices entering our environments, particularly at home. Smart appliances, voice activated assistants, smart TV’s and other internet connected devices permeate (often via wireless connections) our lives. As a result, they extend the shape and perimeter of the cyber risk boundaries a company might experience.
Boards need to become aware of the scope of risk threats and the educational, operational, and technological controls, at least by cyber risk program category, employed to address them. This is not only educational for them, but demonstrates the scope of the cyber risk program, its governance provisions, and how these program aspects join to provide a holistic approach to cyber risk management.
Assembling Your Story
Board reporting isn’t necessarily harder than other forms. But it requires a clear mastery of your data. GRC’s help gather and organize content to help achieve that. The Board presentation needs to start with a summary of the threat topology, followed by a review of key operating metrics from the areas above. These would incorporate any recommendations for actions requiring any approval or action by the Board to provide additional resources beyond current budget allowances. It could then conclude with a general wellness statement restating progress, overall compliance and preparedness to address and mitigate cyber risk. The story is one of contribution to the business’ goal achievement through management of cyber risk. These guidelines can help you tell that your story is effectively gaining credibility for the program and those who manage it.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.