Cybersecurity in the boardroom: Tips for communicating with the Board of Directors and gaining buy-in for your cybersecurity program
Chris Smith
Cybersecurity has become a key topic in the boardroom. This is evidenced by the increasing number of board members with cyber expertise, cyber committees, and CISOs who report directly to the board instead of the more traditional practice of reporting to the CIO or CEO.
Increasing cyberattacks isn’t the only reason boards are taking a more active role. Boards are also concerned with pending SEC requirements. A proposed SEC rule would require public companies to report cyber incidents within four business days and outline companies' policies for responding. It would also require an annual report on corporate boards' cybersecurity expertise.
As such, boards of directors (BoDs) are now playing a more active role in cybersecurity governance. According to one study, 93% of BoDs are questioning their organization’s cyber defenses—a trend that shows no sign of reversing any time soon.
If you’re looking to align with your board to prioritize cybersecurity, you’ve come to the right place. Keep reading to learn more about why it’s critical to communicate with the BoD about cybersecurity and tips on how to have productive and engaging conversations.
Why is board buy-in critical for cybersecurity success?
Ultimately, boards are responsible for ensuring the organization they govern is on the right track. To do this, boards ask questions to pressure-test executive decisions and budgets.
"The board's job is not to run the company,” said Delinea CEO Art Gilliland in a recent 401 Access Denied podcast, Cybersecurity in the Boardroom. “Their job is to provide oversight and governance to make sure that we're thinking about risk in the right way and allocating our resources to manage it.”
If the board doesn’t support your cybersecurity plan, you may not get the resources needed to keep your organization safe
If the board doesn’t understand or support your cybersecurity plan, you may not get the resources needed to keep your organization safe from threats. At the same time, the board won’t give you credit for your progress and hard work—potentially putting your job at risk.
How do boards think about cybersecurity?
Most board members believe they know the common cyber risks facing their organizations—like ransomware, phishing schemes, distributed denial of service (DDoS) attacks, and human error. However, attitudes and perceptions about how to address cybersecurity can vary depending on the size of the organization, its resources, and the potential financial and operational risk at stake should a cyberattack happen.
“For a smaller business, ceasing operations for a week or longer because of ransomware can kill the company,” Gilliland continues. “That’s definitely something that's on the minds of people that are not only running these companies but also governing them on boards.”
That said, boards often don’t have the cybersecurity expertise to advise on the best ways to address these risks. In fact, up to 90% of companies in the Russell 3000 lack even a single director with cyber expertise, according to a study by the CAP Group in February 2023 (published by the Forbes Technology Council).
Many BoDs view cybersecurity primarily in terms of compliance. According to a Delinea study, 33% of cybersecurity leaders say their board and C-suite understand the importance of cybersecurity, but only in terms of compliance and regulatory demands. That may be one reason creating more compliance reporting is a top priority for 25% of cybersecurity leaders.
Download our Global Survey of Cybersecurity Leaders to learn what else cybersecurity leaders had to say.
While compliance and regulatory requirements may get the board’s attention, IT and security leaders must also show them that cybersecurity best practices like Privileged Access Management (PAM) isn’t simply a check-the-box exercise. When the board doesn’t understand the true business impact of a cyberattack, they are less likely to invest in layered defenses—putting the organization at risk.
How do you strike a balance between cyber insurance and security?
Increasingly, boards are mandating that the organizations they govern transfer risk by obtaining cyber insurance. In a separate Delinea study, 33% of respondents claim they mainly applied for cyber insurance due to an executive or board requirement.
Nearly 80% of companies with cyber insurance become victims of cybercrimes
While cyber insurance can certainly help offset financial losses due to cyber attacks, it’s not a substitute for cybersecurity. Boards need to understand that cyber insurance and cybersecurity work hand-in-hand. Nearly 80% of companies with cyber insurance become victims of cybercrimes and use their policy, with half doing so multiple times.
Three keys to talking cyber with the board
Unfortunately, for some companies, getting the board’s attention and convincing them to devote critical resources to cybersecurity can be a struggle. Keep these tips in mind as you communicate with your board to address their questions and persuade decision-makers to approve investments and security practices.
1. Make cyber risk a regular discussion at the board level
The cyber threat landscape is constantly evolving, with new tactics and developments emerging daily. For proper governance, boards need regular dialogue and briefings with cybersecurity leaders and threat analysts. According to McKinsey, 95% of board committees discuss cyber and tech risks four times or more per year.
No matter the cadence of formal meetings you decide to stick to, it’s important to ensure cybersecurity is always top of mind.
2. Focus on outcomes and strategic business goals
Cybersecurity leaders must report on the impact of their cybersecurity program regarding strategic business goals as well as share technical updates and activities. This is key to cybersecurity and business alignment.
When reporting the results of your cybersecurity program, highlight the cyber incidents and business benefits that you’ve prevented, such as:
- The time you save making the business and IT teams more efficient and productive
- Ensuring uptime to sustain operations and deliver services
- Meeting cyber insurance requirements and lowering premiums
- Supporting revenue growth with customers and partners
- Building trust with shareholders
3. Collaborate to align all stakeholders throughout the organization
At many organizations, there’s a big disconnect between BoDs, cybersecurity leaders, and rank-and-file workers. Taking active measures to improve communication throughout the entire organization and streamline cybersecurity planning can significantly reduce risks and improve your overall security posture.
Want to demystify what goes on in corporate boardrooms and make cybersecurity a top priority for all stakeholders? Then watch our video: Cybersecurity in the Boardroom.
Cyber incidents are growing and so are the requirements of cyber insurance providers