How to Talk to Your Governance & Risk Committee About Cyber Risk 

Councils and boards are becoming increasingly concerned with cybersecurity – and for good reason. In the ‘21- ’22 financial year, the ACSC received a 13% increase in cybercrime reports from the previous financial year. It’s safe to say that if your CISOs have yet to speak to your committee about cyber risk, now’s the time to start. 

To help bridge the gap between cyber risks and business objectives, you need to first understand how to frame that important conversation. We’ve come up with some ways that can help you successfully guide that conversation and better protect your local community. 

• Understand who you’re talking to 
• Speak their language 
• Lay out the risks 
• Outline roles and responsibilities 
• Refer to reputable frameworks 

Understand Who You’re Talking To

Before walking into that meeting room, you’ll want to have a good understanding of the board members to whom you’ll be presenting. This requires a fair bit of prepping that goes into preparing written reports and rehearsing answers to potential questions. 

If you can get connected to someone who regularly presents to the board members, you’ve made a good start. From here, try to figure out who exactly will be on the receiving end of your presentation, what their personalities are like, and the type of questions each member will generally ask. 

Understanding who the board members are outside of their formal title will allow you to build a better rapport with them, establishing trust and potentially increasing the audience’s engagement. 

Speak Their Language

Board members want to understand possible risk scenarios, how they have the potential to impact the business, and learn about risk management strategies – they just need to digest it in ways that are familiar to them. Don’t just focus on what you’ll present, but also on how you’ll present it. 

You can do this by organising your data, using short storytelling to explain possible risk scenarios, creating graphs or charts to illustrate technical processes within your cyber strategies, and by avoiding tech jargon. With limited time to present, remember to jump straight to the point. 

When your council members are well informed, they have the necessary information needed to be able to make informed decisions within their cyber security stance. 

Lay Out the Risks

Business leaders are increasingly recognising the importance of having a series of strong cyber security strategies in place. However, there are still many boards that have yet to act, putting everything they’ve worked for at great risk. 

When it comes to talking to the latter, it’s important to lay out the facts plain and simple: Cyber risks have great potential to negatively impact any organisation. 

This includes: 

• Financially 
• Reputationally 
• Competitiveness 
• Continuity 
• Reliability 
• Ability to operate 

No business wants to find itself in this situation, especially when it has the potential to impact every area of operations. 

Outline Roles & Responsibilities

From the outside, a cyber risk plan may look like a a one time process, but those in the tech world understand that it’s a complex, ever-evolving series of strategies. This needs to be communicated to the board.  

A successful cyber risk presentation will document the various players involved along with expectations, responsibilities, and how it all comes together. Selecting a cyber champion is another excellent way to promote a cyber resilience culture and respond to common questions. 

Refer to Reputable Frameworks

Lastly, demonstrate effective cyber security practices by referring to the Australian Cyber Security Centre’s Essential Eight framework. This risk management framework is an excellent blueprint that provides best practices for every business to implement, minimising the risks of data breaches. This yet again drives home the importance of cyber risk and how it’s highly recognised on a national level. 

Want to learn more about the Essential Eight? Our article is here to help. 

Where to From Here? 

Talking to your board about cyber risk can sometimes be challenging. In saying that, the recent increase in cyber threats has created a greater willingness from those in charge to enhance their cyber security stance now, not later. Remember to focus on the business requirements, and objectives and how having a proper security plan plays a critical role in reaching these goals. 

From driving cyber awareness training to email threat detection, our cyber security solutions provide the right protection that your business and people deserve. Get in touch with one of our cybersecurity consultants today to start strengthening your defence.