Become a Partner
Already a partner ? Login
Program
Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.
Learn More
Quantification and management of cyber risk are big parts of the job for today’s security executives. Of course, successful cyber risk management is only possible with support from other parts of the organization: It’s critical to get buy-in from business leaders and board members so that you can get the green light to make needed cybersecurity investments and insurance decisions.
To help you prepare for your next board meeting, I’ve put together some suggestions on how you can communicate about cyber risk quantification and cyber risk management to your non-technical colleagues — with the ultimate objective of having them embrace your proposals for risk reduction.
Keep it Simple
Successful collaboration between security execs and board members requires that you speak plainly about cyber risk and cyber risk management. Discuss what your organization does to protect against cyber risk, and provide a frank but friendly assessment of your company’s current standing. It’s not really about dumbing down your presentation, but more about communicating in a language that your audience understands. If your presentation has a lot of acronyms and trade language, it’s unlikely to resonate with non-technical execs and board members. In many cases, the presenter may assume that the audience knows a lot more than they actually know. In my experience, the best CISOs use good analogies to creatively reach out to the audience.Practice Makes Perfect
One of my recommendations is to do a practice presentation with someone in the organization who is not a techie before the actual board meeting. It could be someone from marketing, sales, or even administration. You can then solicit feedback from that person to test the waters before you present in front of the board — this can help you determine whether the audience is able to comprehend the presentation. (Then, during the board meeting itself, pay close attention to questions that are asked after the presentation. This will help you understand how much of the information made it across the table. It’s a good sign when the board or the audit committee of the board says that they learned something they didn’t know or found the discussion useful.)Provide the Right Context
Your organization can’t make cyber decisions out of context from other key business decisions. And, of course, business decisions will have an impact on your cyber decisions as well. So, context plays an important role in your discussion of cyber risk quantification and management.- Be careful about the decision you are asking the business owners to make. Are you presenting them with a problem — or a problem with possible options to address the problem?
- Is your proposal realistic, actionable, and capable of being carried out by your team or someone in the organization?
- Is it consistent with other business decisions that are being made?
Get More Insight on Cyber Risk Quantification
I recently led a webinar where we took a deep dive into all things cyber risk. In addition to discussing the art of communicating with your board, we covered how to:- Quantify cyber risk in dollars and cents terms
- Determine the real ROI of cybersecurity investments
- Justify security budget proposals and project prioritization
