Translating cyber risk to boards can be an onerous task. Nigel Hedges, CPA Australia’s Head of Information Security provides his key recommendations.
Speaking to iTnews Digital Nation, Hedges outlines the important factors that IT leaders should consider when approaching the topic of cyber security with the board.
Firstly, he says, the conversation should always be framed in the context of the broader market.
“Don't go off script, be consistent with what's happening in the market,” says Hedges.
“Boards are often wanting to ask those questions or say, what happened to XYZ company? Could that happen to us? So, you've got some good information to go off, that's going to be consistent with other experiences or feedback they get elsewhere.”
Next, Hedges advises to cut down on the technical jargon. Or if it’s really necessary, explain it, and use relevant examples.
“We live and breathe this space, but the board don't. Cyber is just another form of risk that they're having to be familiar with. And so, finding if something's important enough that the jargon and the acronym needs to be explained, then do it. But do it in a very business sense, use analogies that would make sense to a business person.”
Hedges cautions too much doom and gloom. Leave that up to the vendors, he says.
“Definitely avoid any fear, uncertainty and doubt (FUD). It's easy to consume that stuff from vendors, because that they will often still provide that FUD. Stick away from that.”
It’s best to be concise, he says. Hedges suggests using the “fifty-fifty rule”, where half of the allotted speaking time should be devoted to Q&A.
“If you get 20 minutes, then speak for 10 and allow for 10 minutes for questions. You get five minutes to speak for to allow three minutes for questions,” he says.
Putting himself in a director’s shoes, Hedges says that strategy would be his key focus, ensuring that it is in direct alignment with the corporate objectives.
“You shouldn't be doing anything that's not relevant to supporting the business's objectives. So, I'd want to see that clearly upfront, that they've done that research. I'd want to see a plan, potentially a two to three year, maybe even longer, view of where we're going.”
And finally, Hedges says boards should test whether senior management is providing enough resources and have assessed where there may be gaps.
“It's easy to sort of calculate security resourcing based on the size of the organisation or the revenue as a revenue basis. But if the organisation's coming from a low base of security over a period of years, maybe five or 10 years of security hygiene issues, they should be asking for enough resources to play catch up. I'd want to see that they’ve thought about those things."