Lessons in Communicating Cyber Risk to the Board and Business Leaders

Lessons in Communicating Cyber Risk to the Board and Business Leaders

Business leaders are not always technically-focused, so it is important for security teams to examine how they are communicating risk to leadership and ensure those methods are being effectively received. Overly technical or qualitative methods run the risk of the message getting lost or distorted so well-run security programs are evolving their approach to measuring and communicating security metrics. 

Better business decision-making and collaboration happen when you can translate cyber risk into financial terms that every business stakeholder can understand and agree on. This means calculating cyber risk in monetary terms. Some savvy businesses have already started to quantify their top risks to provide real actionable insights to business leaders.

Here are some lessons we’ve learned to help you overcome common challenges and accelerate your time to value.

Firstdon’t reinvent the wheel. Often, we see organizations turn to spreadsheets; however, excel can only get you so far and isn’t the easiest view to understand and digest. There are already proven software solutions and methodologies that exist to help you get started. Better yet, they should help you accelerate your time to value – particularly if there are templates or automations for you to benefit from.

Secondidentify your crown jewels. We often hear that organizations struggle to decide where to start. It wouldn’t be realistic to quantify all the risks a business may face, so focus on your key applications and make sure you understand the risks to those first. These will be the ones you should quantify and there should only be a handful of critical applications or key datasets so this will give you a good starting point.

Thirdinvolve key stakeholders. Risk management needs to be driven by senior leaders to truly be embedded into an organization’s culture. Without their backing, it can be challenging to progress things. They need to understand the risk in financial terms to decide how they would like to respond but this needs to be supported by context (and evidence where possible). It should also align with company goals and support growth plans – if mapped this way, it becomes easier to notice the impact. 

Finally, risk management is not a one-off activity; it must be continuously reviewed to ensure that you are keeping pace with the dynamic environment and changing circumstances. Only then will the risk management strategy be more effective, agile, and resilient. But let’s not forget – not all risks are bad. By being proactive, it also allows you to identify opportunities early on and gives you the potential to keep ahead of the competition.

Overall, it can be a challenge for IT/security teams and business leaders to speak the same language, but this is possible to overcome this with cyber risk quantification. CRQ allows the business to understand the implications of introducing new digital applications and potential areas of loss exposure and financial risk. Businesses can then quickly compare the value of security investments and mitigating controls – overall enabling better decision-making and granting higher protection. 

Don’t get left behind. Follow these tips to implement Cyber Risk Quantification into your business strategy and start communicating your cyber risk in financial terms to your key stakeholders! 

DJ Goldsworthy
About the Author
DJ Goldsworthy

DJ Goldsworthy, CISM, CISSP, CRISC, SSCP, is Vice President and Global Practice Lead, Security Operations and Vulnerability Management at Aflac. He is responsible for driving the strategy for security operations, incident response, threat management, vulnerability management, security administration, application security and security engineering with a focus on global security practices, which include a Red Team based in Northern Ireland and the US, a global SOC operating in the US and Japan, and award winning Threat Intelligence and Enterprise Vulnerability Management programs. For the past two years, Goldsworthy has been focused on securing digital transformation efforts centered on public cloud, DevSecOps and modern adaptive security architectures.