Case Study: Reporting to the Board: What Got You Here, Won't Get You There, a presentation by Omar Khawaja, CISO at Highmark Health at the recent 2018 FAIR Conference at Carnegie Mellon University was a master class in communicating risk to the board and the business. Omar was this year’s winner of the FAIR Institute’s Business Innovator Award for his ambitious and creative introduction of FAIR to Highmark.
Watch the Reporting to the Board video – a (free) FAIR Institute membership is required (join now).
With cybersecurity now top of mind for corporate boards, Omar’s advice is just in time. Among the tips you’ll hear discussed in this video:
- Boards trust the word of the National Association of Corporate Directors, so peg your reporting to the five principles of the NACD Director's Handbook on Cyber-Risk Oversight (which are about taking an enterprise level view of infosecurity).
- Have the confidence to answer “I don’t know” to board questions – but always follow up.
- Don’t spout a lot of cybersecurity metrics. “The point is to make them feel like it’s being managed… All they need to know ‘Is it getting better or worse?’.” Omar shows a chart with upward trends, including for staff training. “The next question becomes ‘How do we know that’s enough?’” He suggests making a comparison to benchmarks such as the FAIR Maturity Survey, which Jack Jones presented in his keynote conference address.
- “Align your reporting to your organization’s maturity and culture.”
- Join at least one board yourself, to see how things look from the other side of a boardroom.
Watch the video Case Study: Reporting to the Board: What Got You Here, Won't Get You There (FAIR Institute membership required. Join now.)
Omar also appeared on the FAIR Conference panel Bridging the Gap Between the CISO and the CIRO, with Dennis Cronin, the CRO at Highmark, for more discussion of reporting cyber risk analytics to the board.
Jack Jones and James Lam on NACD Blog: “Get the Right Cybersecurity Reports”