Cover story: So, how is risk communicated?

Earlier in the year, Digital Nation held its first 'Digital as Usual' event for 2024, bringing together board members, cyber security experts and C-suite level players to discuss various angles of the cyber experience across an organisation. 

The 2020s have seen cybersecurity propelled from technical backrooms into Australia's boardrooms, and with that increased visibility has come a need to change how organisations talk about cyber issues.

The greater involvement of non-technical personnel in cyber, such as board directors who are taking a keener interest in strategy, or workers who are on the defensive frontlines, means new techniques are needed to communicate concepts that were once solely in the domain of technical specialists.

This need has been noted extensively across numerous reports, including by the Australian Institute of Company Directors in a 2023 article on the need for organisations to overcome common communication roadblocks.

And in Gartner's 2020 report Optimize Risk, Value and Cost in Cybersecurity and Technology Risk, it recommended that CIOs who were seeking to optimise IT risk and corporate performance should 'sharpen their ability to understand and communicate a business context around technology and the business outcomes they support'.

But according to Helaine Leggat, a specialist cyber security lawyer and managing partner at the legal and cyber advisory firm ICTLC Australia, there is a significant gap between those organisations who are mature in their cyber communications abilities, and those who are not.

"The mature ones have all sorts of programs and whole departments that manage these things," Leggat said.

"The little ones, frankly, don't know or don't care. We're still at that stage where they're very much fledgling."

Qualitative vs quantitative language

According to Jay Hira, a cyber security strategist and former enterprise CISO, mature organisations develop a means to communicate cyber risk in ways that translate readily to all stakeholders and demystify topics by stripping out the jargon and the fearmongering that has traditionally accompanied cyber storytelling.

"Businesses are starting to move away from qualitative ways of communicating cyber risk and the 'fear, uncertainty, and doubt' tactics, back to a more realistic communication that infuses quantitative language, and the universal language of dollar value," Hira said.

But it isn’t just the cyber professionals who are changing their vocabulary – Hira says the same

can also be said for other risk professionals. This is demonstrated through organisations stepping away from the categorisation of risk as 'high, medium, low' in favour of more clearly spelling out the numeric value of specific risks.

"Leaders understand the language of revenue and risk in monetary value, not technical details or technical jargon," Hira said.

Keep it simple, stupid

Given the complexity that can often accompany cyber risk, Hira says this process of simplification should also lead organisations to better prioritise their cyber strategies.

"We need to focus on the risks that could significantly impact the business and ensure we communicate these clearly without the overwhelming amount of detail," Hira said.

"It's about getting straight to the point. What are the risks? How much is the loss exposure? And what are the options on the table to mitigate these risks?

"I tend to distil information down to key risk indicators that matter most to the business. This could, for example, be a potential downtime, or it could be the financial implications or reputational impacts of a risk materialising."

 Michael Bromley has a long history of assessing and communicating cyber risk through his prior experiences as CEO at AustCyber and Stone & Chalk and his current company director and investor roles.

As a company director, Bromley says he specifically avoids talking about the technical aspects of cyber risk, to ensure that everyone can be a part of the conversation.

Policy, procedure and behaviour

Even if they could keep up with the technical jargon, Bromley says there would be little benefit in them doing so.

"The biggest issue in cybersecurity isn't the escalating tech war - it's policy, it's procedure, it's human behaviour," he said.

"Still 90 something percent of cyberattacks are social engineering, so it's really getting people to understand that cybersecurity is a whole of business threat, not a technology threat.

"The technology is the easy part, relatively speaking. Getting humans to change is the hard part, so if you're attacking it from a technology point of view, you're already behind the ball. It has to be a psychological and empathetical approach. You really need to talk to people about how to change the way the business runs so that it can be inclusive."

For Hira, the process of making cyber communication inclusive requires finding analogies that can be readily understood, and then using these to bring more complex concepts to life.

One example is network segmentation, which is a useful tool for stymying the progression of criminals after they have gained access to a network, but one that is not so easy to explain to non-technical board directors.

"If I was to secure funds for this, I would actually take them on the experience of walking into a hotel, where you present your identity and there's a validation of who you are," he said.

"But imagine the experience now that you get into the hotel, you can move around freely - you can go and live in any room. In this case, would you still continue to that hotel, which doesn't have locks on the doors?

"It's how we leverage real life scenarios and analogies to make concepts of cybersecurity really simple and easy that will enable us to connect with the board."

While the challenge of communicating cyber risk can be significant, Leggat believes it can be made simpler by remembering that communication is a function of human beings. Therefore, the needs and experience of people are what should be considered first when communicating cyber risk.

"Everything we are dealing with is about human beings - individual, natural persons," Leggat said.

"It is helpful to remember where we've come from. We had land, then sea, then air, then space, then cyber – domains that we've conquered and learned to work with.

"At the moment, there's too much focus on the cyber thing, and that cyber thing needs to be seen in the context of serving humanity."