Improving the quality of cyber conversations in the boardroom
16 August 2018
SME boards all over the world are alive with conversations about cybersecurity. It’s something lots of directors are learning on the job - many are just coming to terms with the potentially biggest danger to their prosperity.
Singapore lawyer Lyn Boxall explains how few local boards appear to be taking charge. “Two barriers often stand in their way. The first is fear (of being overwhelmed) and intimidation because it is a technical area that only a few are familiar with. The second is a lack of awareness and the head in the sand approach to risk management.”
1. Technology is only 1/3 of the problem
There’s a widespread problem with delegation and relegation of the cybersecurity issue. Without board engagement and sponsorship, technical teams don’t have the clout to achieve the whole piece – you can’t afford to think about cyber as ‘one for the techies.
Instead, think of the risk like the “fire triangle” we learned at school.
Your cybersecurity triangle is a combination of your leadership, processes and technology.
With the fire triangle, lose one side and the fire will go out.
Remove one side of the cyber triangle, risk can burn through your business.
2. What does good look like?
The board’s optimal desired state is high overall security level achieved by a low information security budget.
The good news is, Capgemini found there is no correlation between spend and information maturity.
Capgemini says most secure companies have “above average maturity” in:
- security governance
- IT risk management
- awareness and expert training
- threat management
- and network intrusion detection.
All these have elements of technology and process.
For example, network intrusion detection means nothing without a playbook to tackle it.
In the most mature organisations, the board is involved designing the plays.
3. ABC: Always Bring Context…
Personalising the context helps engage the audience. For example, what would be the impact of a cyber-attack at a peak time of year, perhaps an umbrella distributor having the supply chain fail and missing the beginning of the rainy season?
Using examples like this - particularly when you can go on to graphically illustrate lost profits - can help raise alertness levels before anyone starts yawning.
Another way to contextualise for the board is to frame your efforts around what your competitors are doing. There are many benchmarking reports available, please ask us.
4. …but don’t be led by the headlines – play your own game
Conversations dominated by the latest headlines and horror stories are not productive.
Because your risk is your risk. Focus on what you can control, don’t let headlines be the driver of your information security effort.
To avoid anxious circular discussions where nothing gets done, take a mindful approach: focus on what you can fix rather than worrying about what you can’t.
5. Don’t be a passive listener, be a hungry beginner
When Harvard Business Review asked board directors what duties they struggled with, “risk and security issues was the challenge they mentioned most” with concerns that boards are expected to oversee areas they don’t have much experience in.
This can result in ‘hiding’ in meetings.
Instead, directors should listen actively, and interrogate the plan, just as they would with any other company initiative. There are benefits to being a beginner, if you embrace it.
A beginner mentality can expedite creative solutions. By challenging limiting assumptions and entrenched views among more technically experienced team members, you can help them to rise to the challenge.
It’s a healthy form of communication that unites minds that work in different ways – so be a learner and proud of it.
6. Structured reporting and data visualisation
Talking about cyber risk can be like explaining the solar system to children.
Far too vast and complex to discuss without props. But set up a scale mode with peas, apples and a beach ball strategically placed in an empty car park, understanding starts to get clearer.
That’s why boards are best shown cyber risk management approaches in a visual, story-based way, using data visualisation tools to bring it all to life.
Remember, nothing focuses the mind quite like strong answers to specific questions.
Ask yourself, what are the big questions directors need to know the story of?
Here’s a few to start you off.
1. Efficiency of resource usage
2. “Best fit” of security policy with the business strategy (and not “tools before jewels”)
3. What are the biggest personal risks?
7. Show the board they are part of the risk
As a board director, if your business got cyber hacked, would it be your fault?
If you’re a director and you said no, 4 out of 10 of your fellow directors agree with you, according to bestselling leadership author Stewart Levine, writing in Forbes Magazine.
But the fact is that the board are just as likely to be culpable as anyone else.
Directors’ devices are likely to contain some of the most sensitive information. Plus, they’re likely to be among the busiest – and potentially most stressed, which makes them a target for social engineering.
Let them know they are a potential D&O insurance claim waiting to happen; nothing gets peoples’ attention like feeling their livelihood could be affected.
Also, many countries are drafting laws to hold boards accountable for data breaches. It’s a matter of time before it happens locally to you.
8. This is not a drill (well, it is, but don’t tell the board that)
It’s becoming fashionable to simulate cyber attacks – without telling the board.
Show them how the business grinds to a halt in the event of a cyber incident.
It’s can be a useful trick to get real ongoing engagement from the exec team.
Seldom do humans unreservedly engage with the situation at hand: that’s why everything seems to go slow motion at moments of danger, like being in a car accident. It’s because our minds are making more memories.
Our natural capacity to engage and remember is heightened by stress, so if you really need to get the boards attention, an exercise using a controlled simulation of a cyber-attack could be just the ticket.
9. Your people are your biggest liability
A business’ greatest asset is its people -they are also its biggest liability. Cyber insurance may be a grudge purpose for many, but the conversations you with your broker would help you iron out the above issues.
Techies need to speak the boards’ language, and the board needs to learn a little bit of the techies language, in order to know how best to lead.
When they’re fully engaged, board members have a lot to contribute.
Businesses of any size are unlikely to reach an impressive level of cybersecurity without board support. The required investment and strategic influence cannot come about any other way.
For more help having productive conversations on cyber, get in touch.
Thinking about insurance?
Let us walk you through it