Two recent pieces attempt to help with this question:
Reporting Business Risk to the Board of Directors is an interview with the former chair of RSA Security, Art Coviello, a recognized expert on cybersecurity who has served as an advisor to government agencies.
The other is Raising cyber risk to the enterprise level by Elizabeth Case, Managing Director of Marsh’s US Cyber Practice.
They both have some useful things to say, but I doubt they will help board members understand the level of risk and what they need to do about it. The latter is the big question.
Coviello tells us:
Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board. They can, but the burden, in large part, is going to be on them.
The answer, which Coviello attempts in vain to explain, is to discuss the risk in business terms. Yes, it is a business risk. But the way Coviello talks about it doesn’t work for me.
He asks:
What are the risks to your assets? What is the risk to your operations? What is the risk to your good name? What is the risk to your revenue attainment?
Sorry, but that’s not enough and his “best practices” don’t…
