I remember one of my first Board presentations where I was able to sit through the first few presentations by Legal and Finance. Discussions were about “expected climate regulations in South America expected to impact earnings by xx%” and “changes to banking regulations in Europe was expected to increase reliance on funding from the Caribbean with a corresponding change in liquidity requirements.” My presentation on “increased cyber risks in the industry this quarter” and success of the cyber program was obviously misaligned.
An effective board will include individuals with a variety of backgrounds and experiences. Collectively they have the awareness to manage financial, political, competitive, market risks — whatever may present a significant risk to the organization. Until recently, technology was not in a position to present a “significant risk.” Ten years ago, if IT systems became unavailable, staff would just go back to the manual processes. Now there is no manual fallback available. It takes too long, costs too much, and no one has performed a manual process in years. Loss of technology is now an existential risk for organizations — but how many Directors have the appropriate experience to advise on cyber risks? There is enough ransomware impact these days that ten years from now all Boards will have cyber risk experienced Directors. But it is a gap today.
The IANS State of the CISO 2024 Benchmark Report states “85% of CISOs believe the board should offer clear guidance on organization’s risk tolerance for them to act on […] However, just 36% are being given this direction”, this is because their Boards lack the understanding of the cyber risks they are expected to manage. CISOs need to understand cyber risks, but more importantly, they need to know how these risks affect the business. And then need to their Boards quantify the risks so they can be prioritized appropriately. A Board will never understand “ransomware!!!!” but it will understand that invoicing will be unavailable for 90 days, or manufacturing will be disrupted by 65% for 40 days. These are the type of scenarios they have considered in other contexts. Don’t try to demystify technology and cybersecurity, explain the impacts to business — which is the impact to shareholder value.
