The average cost for a data breach in the United States is $9.44 million – more than twice the global average of $4.35 million for such an incident. In the U.S. alone, nearly seven breach notices took place each business day in 2022.
If those numbers don’t concern board members, what will?
Data breaches make daily headlines. In January 2023, T-Mobile, MailChimp and Chick-fil-A were among the big brands that took a hit. But cyber criminals don’t discriminate according to size – small- to medium-sized businesses are at risk too.
Yet at many companies, cybersecurity talk is just that – talk – by boards of directors. It should be a board-level obligation to ensure cybersecurity is taken seriously, especially with data breaches increasing in size, sophistication, frequency, cost and severity.
Here are five tips CISOs can use to help board members better understand the importance of doing more than talking the talk – but walking the cybersecurity walk.
1. Explain the evolving threat landscape
Hackers have a unique mindset, and they don’t follow the rules. They are smart and adopt tech faster than most. These bad actors will worm their way into organizations any way they can – often through employees’ emails.
Therefore, hammer it in that cyber risk management should be an integral part of business strategy. It can’t be relegated to the IT team alone. Organizations – with their boards’ backing – must proactively adopt and implement cybersecurity readiness plans and defense measures.
2. Avoid tech talk – speak their language
It’s challenging for CISOs to communicate the value of investing in cybersecurity to the board. Sometimes, board members come from non-technical backgrounds and simply lack experience in the security arena. They may not have a clear picture of the relationship between cybersecurity and business health.
As such, avoid jargon and acronyms. Clearly convey how cybersecurity measures support company priorities and protect brand reputation. Don’t get into the weeds with too many technical details.
3. Use data and metrics
Since boards are concerned about finances, substitute tech talk with ROI. Use data that connects back to the business. Provide metrics centered on creating revenue, improving margins and mitigating risk – demonstrate how having strong security can be a competitive differentiator for the business.
While it can be challenging to quantify risk, consider building key risk metrics that can be measured and presented over time. Some cybersecurity leaders even use maturity models demonstrating quarterly trends and showing how their initiatives mature. Boards are often interested in seeing how the business compares to the industry. Having these metrics and reference models gives them a sense of where the business stacks up and where the gaps are.
4. Provide real-world examples
Password manager LastPass last year informed customers their information was accessed during a security breach. A hacker accessed unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, IP addresses and phone numbers. When Twitter was hacked (again), the company was given the title of first data breach of this year.
Bring incidents like these up to board members, then follow up and ask, “What would happen if we were the ones making the headlines? How many stakeholders and how much money would we lose?” Posing such questions brings the potential of a cyberattack much closer to home – even when the industries are vastly different.
5. Communicate consistently and frequently
Rather than wait for a board meeting, establish a regular cadence about cybersecurity. Explain what measures the security team has implemented company-wide – from training employees on how to avoid phishing attacks to mandating laptops are securely managed if offsite to how spending X amount on cybersecurity software could potentially save the company X dollars on cyber insurance or the next big incident.
As high-profile cyberattacks continue and escalate, the role of the CISO has become business-critical. And while winning over the board of directors might not be easy for CISOs, it’s doable. Start by using the five tips just covered.
- Securing Business Growth with Cybersecurity
- Why Cybersecurity is important for Business Growth
- Protect Your Company by Shoring Up Your Cyber Defenses
- Will Zero Trust adoption remain a pipe dream?
- The People side of Cyber Security – Turning organizations’ weakest link into their greatest strength
- Security and Agility – Tips for Getting the Best of Both Worlds
- Tackling Technology’s Diversity Challenges & Opportunities
- Creating a Winning Cyberthreat/Ransomware Management Strategy
- Building Resilience against Digital Disruptions during Heightened Uncertainty
- Transforming Security Programs to Become Digital Business Enablers