If you want to know what your board directors are hearing about cybersecurity, you’ll probably get a good idea from the research by the World Economic Forum, host of the Davos Conference, the global elite’s Black Hat. Good news: The WEF’s Global Security Outlook Report for 2023 finds improvement in communication on cybersecurity and risk.
The WEF survey found that “56% of security leaders now meet monthly or more often with their board. This is rapidly narrowing the cybersecurity perception gap.” The WEF also found an “increasing trend for chief information security officers (CISOs) to report directly to the chief executive officer.”
Awareness also grows among board members about their fiduciary duty to oversee how corporate leadership manages cybersecurity. The WEF writes, “In larger or regulated firms, this awareness has been helped by the interlocking committees that give several board members quite a bit of exposure to questions of digital transformation, information security, business continuity and cyber resilience.”
But wait. Why this result? “A third of all cyber leaders still ranked gaining leadership support as the most challenging aspect of managing cyber resilience.”
As the Global Security Outlook Report somewhat delicately puts it, “the questions they [board members] are asking about cybersecurity imply that they may not have fully grasped the effect of cyber risk on enterprise risk. In addition, many continue to struggle to determine which questions are best suited to assessing information provided by their cybersecurity teams and enabling informed and risk-based decisions.”
Here the WEF steps in with some welcome editorializing, citing its Principles for Board Governance of Cyber Risk, published last year.
“Security leaders should help their boards to understand the economic drivers and impact of cyber risk by
– Reporting cyber risk in financial, economic and operational terms, not just in technical terms
– Aligning cyber-risk management with business needs – by identifying how cyber-risk management and resilience help to meet business objectives.”
That’s not a story that can be told without quantifying cyber risk in financial terms. Factor Analysis of Information Risk (FAIR™) is the accepted model worldwide for cyber risk quantification. Learn more about FAIR for board reporting on cyber risk in these blog posts:
Video: How Boards Exercise Proper Cyber Risk Oversight – Tips for Directors from the FAIR Conference
3 Tips for a Successful CISO Board Presentation (FAIRCON22 Panel)
Reporting to the Board on Cyber Risk: 2 Charts to Tell Your Story
Join the FAIR community as a Contributing Member, gain access to exclusive content and networking opportunities.