This is a problem. Few do it well according to multiple studies and surveys.
I will set out the issue and then make a couple of suggestions.
The issue
In Understanding the Business Risk that is Cyber, Advice for both business unit executives and InfoSec managers to bridge the gap , I shared:
As is pointed out in the World Economic Forum’s Global Cybersecurity Outlook 2023:
…cyber leaders still struggle to clearly articulate the risk that cyber issues pose to their organizations in a language that their business counterparts fully understand and can act upon. As a result, agreeing on how best to address cyber risk remains a challenge for organizational leaders.
In a 2019 survey conducted by the Ponemon Institute, only 9% of security teams felt that they were highly effective in communicating cyber security risks to their board of directors and C-suite colleagues.
It is not then surprising that PwC’s Overseeing Cyber Risk, the Board’s Role 2022, says that “Only 33% of directors say they think their board understands the company’s cybersecurity vulnerabilities very well”.
EY’s Global Board Risk Study 2021 found that “just 9% of boards declared themselves extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major…