Source: Mark Chaplin, Principal, ISF
22 Feb 2019

According to the McKinsey report The Board Perspective (March 2018) performance management and risk management represent almost a third of the time spent at board meetings. It is clear from this statistic that business executives require regular and up-to-date information on the progress of business operations and the steps being taken to manage risks to the enterprise.

For risks relating to information and technology, many IT and security professionals often struggle to establish an effective approach to communicating such risks. Whether it is reporting to the board or other senior audiences (such as the audit committee and risk committee), security professionals continue to look for the ultimate method of communication.

Success in risk reporting involves different stakeholders playing their part, including business leaders, who need to be prepared, informed and be able to make key decisions about cyber risk. As a result, it is essential that board directors, executive management and business owners clearly articulate their requirements for risk reporting, including the type of information, presentation format, reporting frequency and recommendations for mitigating risk.

Recent engagement with business executives and technology leaders has highlighted what senior audiences want and don’t want. With business executives’ attention span significantly challenged during a board meeting, CISOs reporting on cyber risk need to compete with many other agenda items, including corporate governance, strategy development, organisational planning, compliance and shareholder management.

Executive management (including the board of directors) need to be clear when expressing their requirements for cyber risk reporting. Here are a selection of recommendations for the board and for the CISO to help achieve effective cyber risk reporting.

What the board wants from the CISO

  • Alignment with business strategy (e.g. reporting in the context of the organisation’s main focus areas, such as major business projects, global operations, new markets or product and service offerings)
  • Two-way engagement (i.e. the CISO informs the board, explores options, provides recommendations, presents supporting information, accepts challenges from the board and gains approval for action)
  • Financially focused (providing accurate and meaningful information relating to cyber investment, losses from cyber-related incidents and forecasts regarding future cyber risks materialising over the next 12 months)
  • Clearly articulated cyber risks that are prioritised based on empirical data, sound analysis and demonstrable evidence
  • Key indicators covering important areas such as performance, risk and compliance (e.g. cyber resilience levels against agreed targets, the top 5 cyber risks and the extent to which data protection obligations are being met)

What the CISO needs to do

  • Proactively engage with the board, to identify and clarify key topics and areas of concern
  • Prepare material based on board expectations (i.e. the required approach to reporting and presentation)
  • Have supporting information available (e.g. cyber risk metrics, results of analysis and trend data based on historical information), in order to explore the breadth and depth of cyber risk
  • Remain business-focused (taking into account all other topics of importance to the board)
  • Set realistic expectations on delivering on agreed outcomes (including budget, resource and time requirements for cyber security-related projects)

Cyber risk reporting represents a key risk management activity. Organisations can access ISF resources that support effective management of cyber risk, such as the following:

  • Engaged Reporting
  • Reporting information risk
  • Aligning Information Risk Management with Operational Risk Management
  • Quantitative Techniques in Information Risk Analysis

For our full library of research and tools, click here. In addition, find podcasts on the latest cybersecurity hot topics in our Digital Media Centre.