How To Communicate Cyber Risk As A CIO
Tags:
Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.
But today, that has changed. Cyber risk is something more executives are both aware of and informed about—and they expect to get ahead of any issues relating to cybersecurity. Similarly, investors expect to know about a company’s plan to protect itself and its customers or clients from cyber risk.
Below, we’ve highlighted the three most critical areas you should focus on in your cyber risk management process.
Communicating Cyber Risk To Your Investors
When investors look to purchase stock or shares of a company, they typically examine the corporate filings and investor presentation for details that will help them make an informed decision. While those documents contain a great deal of financial information, they should also provide a high-level overview of cyber risk as it pertains, for example, to privacy and data security.
When you create this information, be sure to focus on your tone. You’ll want to discuss the major risks in your area of business and how your organization looks at and measures them. Having a broad statement that describes why cybersecurity is important to your company will be impactful to investors.
Communicating Cyber Risk To Executive Management & The Board
Many of today’s CIOs and CISOs have stepped into the role of reporting cybersecurity to executive management and the board. Simply put, the board needs to understand where your organization is at in comparison to the rest of the market (including your industry peers, customers, suppliers, and similarly-sized companies) and where you fit into these benchmarks. This arms the board with enough information to understand what changes need to be made and how much it will cost to make those changes.
See Also: What To Include In Your Cybersecurity Board Of Directors Presentation
Communicating Cyber Risk Internally
Once the board has determined your cyber risk benchmarks and where you need to improve as a company, you can identify specific focus areas, initiatives, and projects. These aren’t necessarily detailed, and they could instead focus on a particular theme. For example, those in your organization may decide, “We’re going to improve our information security so that no payment card information is unmasked.” This theme could then be unveiled throughout the organization, and specific projects could branch off from it.
Whatever you do, keep communicating!
The simple fact is, many CIOs and CISOs do not properly communicate cyber risk. As a result, things fall through the cracks. When you focus on proper communication, investors are better equipped with information, board members have what they need to benchmark cyber risk, and team leaders can apply benchmarking data across the organization through projects and initiatives. When you consider all of these areas—and communicate properly to each of them—you’ll see a positive impact in how those associated with your organization see and consider cyber risk.