Engaging the Board to Build Cyber Resilience by Eilish McGuinness.
Cybersecurity resilience is a critical concern for modern businesses, requiring a proactive approach to identifying and mitigating risks, as well as a robust incident response plan. While gaining board-level support for these initiatives has historically been a challenge, the tide is turning. In a recent study, 84% of CISOs reported alignment with board members on cybersecurity issues. In this blog post, I will share key strategies I have used to engage the board of management in building a cyber-resilient organisation.
-
Pick Your Board Advocate(s)
You do not need to convince the whole board, just get the advocate over the line and they will convince the rest. There are times where I like to have several advocates rather than just one.
-
Collaborate with Stakeholders
Cybersecurity is not just an IT issue; it affects the entire organisation. Collaborate with stakeholders from risk management, supply chain, compliance, and other relevant departments to build a comprehensive cybersecurity strategy. I always say that “compliance is your long-term partner,” highlighting the importance of ongoing collaboration with this department.
-
Be Realistic
Understand the organisation’s current cybersecurity posture and identify the most critical gaps. Prioritise initiatives that address the most significant risks and align with the organisation’s overall goals. As I always say, “you will not get everything, pick what is important.”
-
Keep It Simple and Clear
Avoid technical jargon and focus on the business impact of cybersecurity risks. Clearly articulate the benefits of a cyber-resilient organisation, such as protecting customer data, maintaining brand reputation, and ensuring business continuity. I advise to “stay away from the jargon” and “focus on the bigger picture” and what is most relevant to the board. Perhaps there is a larger topic at play and the board are more likely to support projects under that topic.
-
Talk About the Impacts
Highlight the potential negative consequences of a cyberattack, such as financial losses, regulatory fines, and reputational damage. Emphasise the board’s accountability for cybersecurity and the importance of proactive risk management. I suggest that you should “make it personal to them,” emphasising the board’s accountability and potential fines.
-
Bring in the Big Guns
Invite senior executives from the departments that generate the most revenue to speak to the board about their concerns regarding cybersecurity risks. Have them explain how a cyber resilient organisation adds value. Risk management is often viewed as a cost centre, so it is crucial to involve those who generate revenue in these discussions. They can effectively communicate to the board because cybersecurity is essential for protecting the customer journey, ensuring business continuity, and ultimately safeguarding revenue streams and customer trust.
-
Do an Exercise
Conduct tabletop exercises or simulations to demonstrate the potential impact of a cyberattack and test the organisation’s incident response capabilities. This can help the board understand the importance of preparedness and identify areas for improvement. I advocate for using exercises to “bring it to life for people,” as it can highlight the organisation’s ability (or lack thereof) to manage a crisis.
-
Examples
Use real-world examples of cyberattacks and their consequences to illustrate the importance of cybersecurity resilience. Share case studies of organisations that successfully responded to cyberattacks and those that suffered significant losses. I suggest using examples that are relatable and highlight the impact on customers, staff, brand, products, and reputation. I also emphasise that you should “provide both good and bad incident response” examples.
By following these strategies, you can effectively engage the board of management in building a cyber-resilient organisation. Remember, cybersecurity is an ongoing process that requires continuous attention and investment. By working together, you can protect your organisation from the ever-evolving threat landscape.
About Eilish
Eilish is a results-driven global senior leader in Resilience and Transformation delivering exceptional results whilst effecting organisational change. Eilish has held Director roles at Sky, Symantec and Central Bank of Ireland, where she implemented award winning programs as well as evolving the boards approach to resilience . She is a brilliant operator, with a deep understanding of business need, and has a pragmatic, outcomes-focused approach to operational development.
Connect with Eilish on Linkedin.