Introduction
Cybersecurity professionals are being asked increasingly to prepare materials for and give presentations to their enterprise board of directors. Communicating priorities to any board member requires understanding the board perspective on the subject that is being considered. This means recognizing that board members have an overall enterprise perspective that subsumes cybersecurity. Therefore, gaining attention (and being relevant to the board) requires placing cybersecurity concerns in the context of business objectives—cybersecurity practitioners need to learn how to speak the language of business.
This white paper will help to lay out the landmarks that can be used to better understand how to adapt cybersecurity matters for consumption by professionals who are less knowledgeable about technology. The goal is to better understand the process of reporting technology risk to the board and provide context for how to tailor their messages. This white paper provides an overview of the role and structure of boards, and information on presenting cybersecurity as a strategic risk, scenario analysis, risk economics, risk appetite, metrics and dashboards. These discussions help technology professionals to communicate cybersecurity risk in ways that businesses can understand
Enterprise boards of directors need to understand how cybersecurity risk affects business objectives and board oversight responsibilities. Cybersecurity professionals have the knowledge that boards require but need to learn how to translate that information into business language that is useful to boards. This white paper helps risk and cybersecurity professionals to report cybersecurity risk in ways that their enterprise board of directors can understand, by providing an overview of board responsibilities and structure, a method to decompose high-level board concerns into technologically relevant (and measurable) risk scenarios, and information on cyberrisk economics.
Introduction
Cybersecurity professionals are being asked increasingly to prepare materials for and give presentations to their enterprise board of directors. Communicating priorities to any board member requires understanding the board perspective on the subject that is being considered. This means recognizing that board members have an overall enterprise perspective that subsumes cybersecurity. Therefore, gaining attention (and being relevant to the board) requires placing cybersecurity concerns in the context of business objectives—cybersecurity practitioners need to learn how to speak the language of business.
