Information Security
Discussion/collaboration meeting

How to get Senior Management and the Board engaged with Cyber Security?

In this week’s blog post we have created an easy-to-follow guide to spark inspiration and conversations about cyber security in the board room, or with senior management. Although many organisations are starting to have a conversation, many businesses are still struggling to have effective senior management buy in. This article aims to help build bridges and drive a healthy discussion about security with the board room.

Why Should the Board be Talking About Cyber Security?

The first step is to highlight why the board should be talking about cyber in the first place, the National Cyber Security Centre (NCSC) have a key area of focus on ensuring that board members and senior leaders recognise the importance of cyber-resilience across their organisations. 

The NCSC’s CEO Lindy Cameron said “We believe that cyber security should have the same prominence as financial and legal matters, after all the consequences are the same”

Any CEO or board member who is still asking why they should concern themselves with cybersecurity need only look at the numerous examples in the media of cyber attacks on organisations, not least those involving ransomware. The potentially devastating impact of such attacks on an organisation’s operations demonstrates why cybersecurity should matter to boards and senior leaders. 

It’s not just the money the organisation might be asked to pay in a ransomware attack to recover data. It’s also the lost business, the reputational damage, and the expense of investigating and recovering from the attack. The reality is that every year many millions of pounds are lost to opportunistic cybercriminals targeting organisations across all sectors, looking for weaknesses in their defences. 

This threat cannot simply be ignored or left to technical experts. The vast majority of attacks are still based on well-known techniques, such as phishing emails, which can be defended against. You can find out more about why cyber is more than an IT problem here.

With that being said many businesses still find their biggest challenge being senior leadership and board buy in for Cyber Security projects. For many organisations there is a greater focus on its importance, however, budget constraints don’t allow for effective protection, senior leadership don’t support projects and ultimately businesses are still at risk despite cyber being on the agenda. 

The concept of ‘if a cyber-attack happens’ is no longer the case, it is a case of when it happens. 

How Can You Inspire the Board?

The advice below will not suit every organisation and you should bare your specific requirements in mind; however they do aim to give you a fresh perspective when taking cyber security to the board and hopefully see some critical wins in developing the importance of cyber within your organisation. 

Understand Your Audience:

   – Highlight how cyber security impacts business operations, financials, and reputation.

Removing the technical element of cyber security is a great way to kick start an effective conversation, it is easy to become wrapped in the acronyms and technical jargon but at its simplest cyber security is about risk mitigation and business continuity, two things that are always high focus for any senior leadership team. 

You are asking business leaders to speak your language, understanding their challenges and motivations will help to build your business case. 

Frame the Discussion:

   – Emphasising the relevance and urgency of cyber security.

Recent cyber incidents and their impact on other organisations are a great way to highlight the risks and consequence, if there are businesses in the same sector to you being struck by attacks you can almost guarantee a hacker is looking at your organisation. 

It is also important to note that cyber criminals are incredibly opportunistic, if your businesses have nothing in place to mitigate their advances, why wouldn’t they deploy a ransomware, it could be an easy pay day for them, but a headache for your board room… especially when proactive measures can be taken helping to prevent that outcome. 

Business Impact:

   – Emphasise that cyber security is not just an IT concern but a strategic business imperative.

Linking cyber security to potential revenue loss, brand damage, legal consequences, and regulatory fines will help business leaders contextualise the potential impact of a cyber-attack and highlight the importance of an effective cyber security programme. Business leaders’ ultimate goal is to ensure business operations and profitability two areas that a cyber attack can have the biggest impact. 

Risk Management:

   – Illustrate how cyber threats pose significant risks that can be mitigated.

Explaining that a strong cyber security strategy reduces the likelihood of breaches and limits potential damages, entering the conversation with a solution is a great way to address any concerns. Business leaders are busy people, highlighting that you have an effective strategy that you would value their input on is a great way to grow their interest. 

We don’t want the business leaders making the cyber security strategy we want them buying into and understanding why the business needs it and its importance, having their input will help to ensure both. 

Regulatory Compliance:

   – Highlight how non-compliance with data protection laws can result in severe penalties.

Compliance is a great way to get senior buy in, regulations often dictate the way businesses operate and those focused on cyber security and data protection are no different. If there is a clear set of rules that businesses need to follow often there are solutions to how this can be achieved. 

With many businesses we have seen the need to comply with the Data Protection Act turn into the desire to overhaul the businesses cyber security strategy and ensure greater protections and mitigations are put in place. 

Competitive Advantage:

   – Explain that robust cybersecurity practices can enhance the company’s reputation and differentiate it from competitors.

Using examples of businesses that have gained a competitive edge by prioritising cyber security is a great way to do this. The supply chain has seen an increase in cyber threats and as all businesses become more security focused ensuring your business has protections in place is what will help you to succeed, so why not get ahead now? 

Long-Term Vision:

   – Present a vision of the company as a cyber security leader in the industry.

Showcasing how investments in cyber security can enable growth and expansion is a great way to get businesses leaders attention. 

Real-world Impact:

   – Share success stories of organisations that have prevented cyber-attacks or effectively managed breaches.

Explaining how proactive cybersecurity measures saved them from significant financial and reputational damage.

ROI of Cybersecurity:

   – Discuss the return on investment (ROI) of cybersecurity initiatives, including cost savings from preventing breaches.

Show casing how a strong cyber security posture can attract investors and partners.

Board’s Role:

   – Clarify the board’s responsibilities in overseeing cyber security strategy and risk management.

Stress the importance of a collaborative approach between the board, executives, IT/security teams and the rest of the business. You are not asking them to focus on the day to day running but oversee the programme and ensure that the whole business understands the importance of good security posture. 

Collaborative Approach:

   – Emphasise that cyber security is a collective effort involving all employees, not just IT.

Suggesting regular training and awareness programs to foster a cyber security-conscious culture can help to ensure that everyone is on the same page and is aware that they all have a responsibility in ensuring the companies cyber security programme is not hindered. 

Actionable Steps:

   – Provide a roadmap for strengthening cybersecurity, including implementing best practices and investing in advanced technologies.

Propose regular cyber security updates and reporting to the board, this could allow for more open discussions around the businesses cyber security requirements and helps to ensure that everyone is on the same page. 

Q&A Preparation:

   – Anticipate potential questions or concerns the board might raise.

Preparing to address queries related to budget allocation, ROI, and the feasibility of proposed cyber security measures ensures that when you are bringing this conversation to light you have thought about the business needs and challenges, going to senior management with a solution to a problem they didn’t know they had been far more effective than going to them with just a problem.

Remember, the key is to present cyber security as a critical business issue, focusing on its impact on financials, reputation, and long-term growth. Tailor your approach to resonate with the board’s concerns and objectives. 

How can CyberCrowd help?

CyberCrowd help businesses of all sizes to contextualise the security risk to senior leadership, whether it is with a specific project, general training and awareness or highlighting the ever-growing risk to business success. 

Our consultants focus on the business-critical elements and how cyber security services can help lighten the workload and reduce overall operational risk. If you would like to hear more about how we could help your business strengthen its security posture, please get in touch