Cyber Risk Quantification: How CISOs and CIOs Can Win the Board Meeting


Tony Scott

Read Time

3 Minutes

Last Updated

Nov 28, 2020

table of contents
Quantification and management of cyber risk are big parts of the job for today’s security executives. Of course, successful cyber risk management is only possible with support from other parts of the organization: It’s critical to get buy-in from business leaders and board members so that you can get the green light to make needed cybersecurity investments and insurance decisions. To help you prepare for your next board meeting, I’ve put together some suggestions on how you can communicate about cyber risk quantification and cyber risk management to your non-technical colleagues — with the ultimate objective of having them embrace your proposals for risk reduction.

Keep it Simple

Successful collaboration between security execs and board members requires that you speak plainly about cyber risk and cyber risk management. Discuss what your organization does to protect against cyber risk, and provide a frank but friendly assessment of your company’s current standing. It’s not really about dumbing down your presentation, but more about communicating in a language that your audience understands. If your presentation has a lot of acronyms and trade language, it’s unlikely to resonate with non-technical execs and board members. In many cases, the presenter may assume that the audience knows a lot more than they actually know. In my experience, the best CISOs use good analogies to creatively reach out to the audience.

Practice Makes Perfect

One of my recommendations is to do a practice presentation with someone in the organization who is not a techie before the actual board meeting. It could be someone from marketing, sales, or even administration. You can then solicit feedback from that person to test the waters before you present in front of the board — this can help you determine whether the audience is able to comprehend the presentation. (Then, during the board meeting itself, pay close attention to questions that are asked after the presentation. This will help you understand how much of the information made it across the table. It’s a good sign when the board or the audit committee of the board says that they learned something they didn’t know or found the discussion useful.)

Provide the Right Context

Your organization can’t make cyber decisions out of context from other key business decisions. And, of course, business decisions will have an impact on your cyber decisions as well. So, context plays an important role in your discussion of cyber risk quantification and management.
  • Be careful about the decision you are asking the business owners to make. Are you presenting them with a problem — or a problem with possible options to address the problem?
  • Is your proposal realistic, actionable, and capable of being carried out by your team or someone in the organization?
  • Is it consistent with other business decisions that are being made?
To give you an example, when I was with Disney, we were shifting from the DVD business to streaming. With DVDs, we had to deal with the content being easily replicated and losing out on revenue. When the decision was made to shift to streaming and wind up the DVD business, we had to set up the IT infrastructure to support that. The focus earlier was on technology used to print the DVDs to ensure they were not duplicated. But now, we had to rely on content delivery networks and other distribution mechanisms that had very different risks associated with them. So, IT had to be a part of the new conversation to address these new risks. This is one example from my own experience of how it was necessary to make IT and risk decisions in parallel with business decisions.

Get More Insight on Cyber Risk Quantification

I recently led a webinar where we took a deep dive into all things cyber risk. In addition to discussing the art of communicating with your board, we covered how to:
  • Quantify cyber risk in dollars and cents terms
  • Determine the real ROI of cybersecurity investments
  • Justify security budget proposals and project prioritization
You can watch the on-demand recording by clicking here. I hope you enjoy it! About the Author: Tony Scott is the former Federal CIO of the United States. He’s also served as the CIO at VMware, Microsoft, and Disney, and the CTO of General Motors.