• United States




3 ways to speak the board’s language around cyber risk

Feb 05, 20214 mins
IT GovernanceRisk ManagementSecurity

Framing the cyber risk conversation in ways that resonate with the board will help close the chasm between cyber risk and enterprise objectives.

The days of a hopeless disconnect between security leaders and the board of directors have come to a close—at least for enterprises with a healthy risk posture. Digitally savvy or not, in today’s business environment, board directors largely recognize they need an understanding of how cybersecurity risk overlaps with enterprise risk and the board’s overarching governance responsibilities, and they at least need to be conversant in cyber risk and how it could impact the organization—financially, reputationally, legally, operationally, and otherwise. The more digital the business becomes, the more cybersecurity becomes an existential issue to address, impacting the competitiveness, continuity, reliability, and overall trust of the enterprise.

High-profile data breaches, ransomware attacks, and other existential crises brought on by cyberattacks in recent years have shattered the outdated notion that enterprise security is the IT team’s burden to bear, replaced by an acknowledgement that cybersecurity is a board-level issue. Yet, according to a 2017 ISACA survey on tech governance, 87% percent of C-suite professionals and board members say they lack confidence in their company’s cybersecurity capabilities. This indicates that while most enterprise boards have come to appreciate their responsibility when it comes to cyber risk, there remains a level of translation required to make cyber risk insights more digestible—and therefore more useful—for board directors.

Here are three tips for communicating cyber risk to the board.

Understand the board’s responsibility

Effective communication to the board regarding cyber risk requires CISOs to understand the board’s scope and its fiduciary responsibilities in the context of each business as well how technology enables the whole business ecosystem. When possible, security leaders are well-served to enlist the support of enterprise risk management professionals, who are often best equipped to explain to board directors the operational and strategic risks that flow from cyber risk.

Present data in a familiar format

It is useful to present risk quantification through dashboards, illustrating metrics like key performance indicators, key control indicators, and key risk indicators in categories such as data loss, data reliability, systems reliability, and fraud. This type of data enables boards to make informed decisions around considerations such as security budgets and the deployment of emerging technologies, drawing upon relevant data and in the context of organizational risk appetite.

As noted in a recent ISACA white paper on the topic, “Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritized using quantitative measurement that is in a familiar format for executives. The members of board committees are adept at managing financial measurements. The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk.”

Know your benchmarks

There is another important way to speak the board’s language around cyber risk: frame the discussion in terms of how the organization is faring relative to industry peers. This conversation should go beyond highlighting prominent stories in the news cycle of major hacks that might be impacting industry competitors, although those can certainly be useful in commanding the board’s attention. Specifically, there should be substantive conversations around how the maturity of the organization’s control measures compare to similar organizations and, if a deficit exists, what measures might be needed that could help to close the gap.

Fortunately, we have largely moved beyond the hurdle of needing to convince boards of the importance of overseeing enterprise cyber risk. Today, the challenges security and risk teams face center more on finding the right amount of detail to share with the board and presenting it in a way that board members find incisive and actionable. If security teams are finding it challenging to gain leadership’s buy-in or are not receiving the big-picture guidance that they need, it might be time to recalibrate how they are communicating cyber risk to the board.


Experienced leader and board member, international authority in cybersecurity, with a proven track record in developing and managing strategy, programs and initiatives. Innovative thinker, with several international patents to his name, proven successful communicator and consensus builder across borders and cultures.

Chris is Director and Past Chair of the Board of ISACA, an international non-for-profit association with more than 200 Chapters, serving more than 160,000 IT, Cybersecurity, Information Security, Audit, Risk and Compliance professionals, in 180 countries. He has served ISACA as Chair of the Board for 2 consecutive terms (2015-2016 and 2016-2017) and as director of the BoD for 9 terms (2010-2014 and 2015-present).

Chris is also a Board Member at INTRALOT a leading gaming solutions supplier and operator active in 42 regulated jurisdictions around the world. Prior to his role he has served as Group CEO, Group Chief Services and Delivery Officer, Group Director of Technology Operations and Group Director of Information Security.

He has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015. Chris has been working in the area of information technology for 20 years, he holds 3 patents, 6 awards and has authored more than 150 publications.

He holds a degree in Electrical and Computer Engineering and a Ph.D. in Information Security.