It’s not easy to communicate cybersecurity issues to a board of directors.
Boards of directors generally come from a non-IT background. 27% of first-time directors and 43% of experienced directors have been CEOs or COOs; 19% of newcomers and 11% of old hands were functional unit heads, and a similar split (11% and 7%) appears among former divisional heads. They’re used to the business of business. IT is only important to them when it’s not working, even though businesses rely on digital technology and robust cybersecurity processes that ensure it can function.
This is the wrong way of looking at it. Cybersecurity is a critical business issue, which impacts on operations, finance, brand perception – everything. But to make that clear to people without that knowledge you need a compelling brief that shows them how cyber threats affect the aspects of business they understand: the why, what and how of protecting what matters to them from the dangers you understand.
To show your board that cybersecurity is important, you need to make it relevant to their area of operations. The simplest, most direct, and most affecting way of doing that? Tell stories. Show them real-life examples of what a cyber breach does to an institution like yours, highlighting the knock-on effect a failure in cybersecurity has on businesses, livelihoods and reputations. Point to the impact of high profile breaches in your industry – the physical, economic, psychological, reputational and social damage done to the companies involved. Look forward, too: if you’re in financial services, your directors may be aware of blockchain. If you’re in manufacturing, automation. What are the inherent threats in the areas your business is targeting for growth?.
You can also present the advantages of great cybersecurity in the same way – by focusing on what it does for the areas of the business they know about. Yes, cybersecurity is a necessity. It’s also a selling point, a brand position, a marketable function of the business – it’s a way of proving you care about protection and privacy for your customers.
Directors’ understanding of cybersecurity is often based on something they learned when they first laid hands on a computer. Install your antivirus program, update it when you remember, use a password, and change it when you can be bothered. Hackers are just geeks in their bedrooms – no real threat at all.
That was then. This is now. Cybercrime is organised crime; it’s professional, frequently state-sponsored, and there are major consequences on the line. We have more and more connected devices than ever; we carry out more and more transactions online, and we share more and more sensitive data. There is so much more at stake, so much more to target and to protect; and there are compliance requirements for virtually every industry. Lean on those: make your warnings specific and relevant to your sector and your business. These requirements – the likes of GDPR – put the responsibility on the company to protect sensitive and personal data in the course of day-to-day business. It’s not just an IT problem – it’s a finance problem, and a legal problem, and an operations problem too.
Cybersecurity is now a boardroom issue, for the sake of the business as a whole. Directors need to know, at the very least, what kinds of attacks are out there. They don’t need to keep up with the latest news – that’s your job – but they need to know their DDoS from their malware so that you don’t need to explain every problem every time.
This is the part where directors need to understand what they can do.
Their role is to set the culture from the top. Directors need to ensure the CEO makes cybersecurity a priority, setting regular training and education for the workforce at whole. Directors exist to keep tabs on the senior leadership team; they are the guardians of business performance who ensure best practice is being followed elsewhere.
They need to know the security tools, the processes, and the consequences of non-compliance in cybersecurity well enough to say this is why we’re doing it – and it’s not “because IT says so, just go along with it.”
It’s their business, and it needs to be prepared. Every business will, sooner or later, experience some kind of cybersecurity breach. It’s important to prevent as many as possible, but it’s also important to show the authorities and your customers that the business is competent to process data and that you’re doing your best to prevent breaches.
Communication style – talking tech to the board
Write with the reader in mind.
This briefing can’t be a set of dry instructions. A technical manual might work for an IT crowd, but a briefing document is talking to people who aren’t interested and won’t follow the details. To grab their attention, you need to tell stories, present compelling information, and show the jeopardy facing your business in non-IT terms. How does the breach affect them?
This isn’t the place for technical details – you can afford to be superficial for the sake of clarity. Keep it simple, and have a clear takeaway, a solution to every problem you present. Here’s what malware is; here’s what you do about it. Two paragraphs. If you can illustrate a problem, do so: the mind sticks on infographics but slides off walls of text.
Cyber threats are enacted by people: the solutions are also human. You need great tech, but it doesn’t work on its own. If people in leadership positions don’t understand how to keep the business safe, nobody will; the loopholes will be left open, and the breach will be that much worse when it comes. The good news is, they can be encouraged to understand, as long as they’re briefed the right way: on their own terms.