On 23 December 2015, the unscheduled power outage of three Ukranian power companies changed the way we look at cybersecurity. It was a high-profile attack on Ukraine’s national infrastructure that caused widespread disruption to the supply of electricity of many customers.
“Although the frequency of an attack of this scale is low, it shows how an aggressive cybersecurity attack can seriously impact business operations – and customers,” says Rob McMillan, research director at Gartner. “Board-level reporting for cybersecurity and technology risk is becoming commonplace due to the severity these attacks can have on a business, but most organizations aren’t very good at it.”
By 2020, Gartner believes that the reporting of cybersecurity and technology risk to the board of directors will be required of all large enterprises, at least annually - an increase of 40% on today. Boards generally ask for security and risk management reports on the state of security as part of their fiduciary duty, not because they have a keen interest in cybersecurity.
McMillan continues: “They may not understand cybersecurity and risk, but they do care about the impact to the business, its customers and bottom-line revenue,” he says.
Align security with the level of impact on business
It is likely that not all members of the board will have in-depth technical knowledge relating to cybersecurity. Put what has happened into terms that they can understand and relate it back to business decisions and outcomes.
Tell them what they need to know, what they have a legal obligation be aware of and reassure them that there is a process to ensure the management of material risks.
“You need to help them meet those obligations, but equally you don’t want to overplay the danger because you could undermine your own position,” McMillan says. “That will lead to the board losing confidence in you, or you’ll make enemies, which isn’t an effective way to go about fixing problems.”
What not to tell them
Unless at an attack has the potential to disrupt the business and its operations, directors will not generally be interested. You do not need to report on every instance of malware that affects individual users that do not have an impact on business operations. If an attack could cause a serious impact to the core business process, they will need to be informed.
The board of directors will be focused on solutions and what is being done in response to an incident. Try not to evoke fear or panic and calmly reassure them that the response is being managed.
What to tell them
Most organizations experience incidents from time to time – acknowledge this to the board and reassure them that these incidents will be managed. What is important is that while you cannot avoid every potential attack, you can control how you prevent them and respond to them when they do happen.
Security and risk professionals should:
- Ensure this discussion is related to board-level decisions and not those only relevant to IT personnel and decisions to be made by IT.
- Avoid naming and blaming – focus on what is happening and the plan to resolve it.
- See an incident as a potential opportunity to improve systems and detect problems but also that the need to protect the business must be balanced against the need to operate the business.
- Finish discussions with an “ask” of the board to engage members in the process.
How can ActZero help my organization manage cybersecurity risks?
ActZero can help you focus your team's energy where it matters most: protecting systems from unauthorized access and continuously testing your defenses. This helps to detect and respond more effectively in comparison to buying and implementing security products or patching programs alone.