At the recent 2022 FAIR Conference, a panel from both sides of the board table, including veteran corporate director and enterprise risk management authority James Lam and experienced board presenters, delivered many actionable tips on briefing the board – watch the video for the full flavor, but here are three bits of advice. They share an underlying truth: Cyber risk presented in business terms through risk quantification is the basis of a successful board presentation.
Communicating Cyber Risk to the Board and the Business: How Is It Changing?
Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM
James Lam, Board Director & ERM Author
Michael Meis, Associate CISO, The University of Kansas Health System
Evan Wheeler, Sr. Director, Technology Risk Management, Capital One
Left to right: Julian Meyrick, Evan Wheeler, Michael Meis, James Lam
1. Don’t make these three presentation mistakes
James Lam didn’t hold back on how CISOs call fall flat on their faces at a board presentation.
- Don’t do stupid. Directors are savvy businesspeople, often with a background in finance, and will likely see through a presentation on cyber risk that uses qualitative values displayed on a heat map or “silly math” performed on arbitrary numbers assigned to risk levels.
- Don’t do lazy by “describing risk as non-performance of a business objective,” such as availability of key systems. “I see this in 10K’s all the time.” Downtime is not a risk – “the risk is the underlying conditions and variables that would lead to downtime.”
- Don’t do boring, such as giving progress reports on your objectives, particularly technical goals such as patching or advancing on a controls maturity model. “We don’t want to spend our time listening to how you spent your time. What we want to know is, are you doing your job effectively.”
2. Be seen as a business leader, not a security leader
Michael Meis lifted the curtain: Board members “don’t care about cybersecurity inherently and they are never going to…It’s a necessary evil.” So, re-focus on what they do care about, business strategy. Make them “see you as a business leader instead of a security leader…FAIR provides some of that translation between the typical security metrics and financial modeling.”
More tips on positioning as a business strategist:
- You will likely present for just 10 to 15 minutes, so keep your slideshow down to a few, perhaps one on the threat environment, one on risks, and one on the outlook for the future and how that will impact the major strategic objectives of the organization.
- Don’t think of your occasional board meeting appearances as the extent of your board influence campaign. “A lot of board interaction needs to happen outside the boardroom,” Evan Wheeler said, “educating them, getting input on what they are interested in.” It also helps to understand the profile of the other organizations they are involved in, he advised.
3. Key deliverable: A risk appetite statement developed with your board.
The panelists agreed that a critical contribution the board can make is guiding development of a risk appetite statement: “What risk will the board accept in pursuance of business strategy” expressed in quantitative terms, said James Lam. Every key performance indicator in cybersecurity should be tracked against risk appetite or some other objective target.
Michael Meis recommended working with the business impact team as a starting point to “understand the key inflection points for the business” before presenting options to the board. Evan Wheeler warned that many organizations develop a risk appetite “at the end as opposed to the beginning.” It’s critical to work out risk appetite early on, as “understanding those ranges is really important for escalation.” James Lam agreed: “The CISO doesn’t make all the risk management decisions.” For example, a new patch that slows down performance of a system. “What if the COO says no, we don’t want that. Who makes the risk acceptance decision?”