Cyber security is a critical issue for organisations, and it is important for the Board and/or senior management to have a clear understanding of the organisation's cyber security posture and risk management strategies. The following are some steps that organisations can take to report cyber security to a senior group, such as the Board, executive committee or another overarching governance forum:
Use clear language: Use clear language when communicating with the Board, avoid using technical jargon. Communicate cyber in terms of risks and impacts to the organisation's reputation, operations, and financial stability.
Tailor the report: Tailor the report to the Board, highlighting the risks and threats that are most relevant to the organisation and its industry. Understand the personalities of the board members, and what they will want to understand and challenge. Prepare for those challenges. If you don't know the answer, say you will find out and report back.
Express Maturity Clearly and Concisely: Stating a single maturity score on cyber to the board does not express the complexity of managing the breadth of the risks, likewise giving them maturity scores against 10's to 100's of controls will not result in their understanding or buy-in.
Include metrics: Include, relevant, important metrics. Using general metrics such as the number of unpatched systems does not provide a clear picture of the organisation's cyber security posture. Consider using a balanced scorecard or metric groups, such as "Exposure" and "Agility".
Provide recommendations: Provide recommendations for addressing cyber security risks and incidents, and for improving the organisation's overall cyber security posture.
Highlight compliance: Highlight compliance with relevant regulations, such as data protection and industry-relevant requirements, and any non-compliance and the actions taken to address them.
Regular reporting: Provide regular, timely and accurate reporting on cyber security risks and incidents to the Board.
It's important to note that the Board should be informed in a timely manner of any
significant incident and that the report should be presented in a way that is easy to understand and actionable. Having regular and transparent reporting to the Board on cyber security risks and incidents allows the organisation to take a proactive approach to cyber security and to build trust with stakeholders.
Talk to us today. We can help!