Whiteboard Wednesday:

How to Talk to Your Board About Cybersecurity

July 25, 2018

In this week’s Whiteboard Wednesday, Scott King, Senior Director for Security Advisory Services at Rapid7, gives some tips and tricks on how to better communicate with the board and executive leaders of your company about cybersecurity. Learn the importance of defining, defending against, and remediating the potential incidents that can negatively affect your company’s KPIs, as well as helping the board manage risks effectively. Why? Executives are the most targeted and vulnerable audience for cyber attacks.

Video Transcript

Hi. My name is Scott King and I work for Rapid7. My role here is that I head up our strategic advisory consulting business. We often get requests from our customers to help them better communicate with their executive leaders as well as their board members. I'm here today to talk about a few areas that allow you to relate to those folks within your company and help make cybersecurity real for them.

Show more Show less

First off, executive scams. Executives are one of the largest targets at every company that's out there. They often receive email phishes and other types of messages that are trying to elicit a response from them that would compromise themselves, their family, or your company. Talking to them about those scams, talking to them about the adversaries, what the adversaries are interested in, and how those could become real, helps make cybersecurity something that they care about, helps make cybersecurity something that they become passionate about, and ask you questions about.

Also, key performance indicators or KPIs. Key performance indicators are typically used by business leaders to help understand how their business is performing. The same is true around cybersecurity KPIs. Producing metrics, such as, mean time to remediation of an incident, helps show your senior leader how fast you're able to recover from something that occurred within the company. And, incidents do happen all the time. Your ability to find, detect, and remediate those as quickly as possible is a leading indicator of performance.

Lastly, cyber risk management. All large companies should have an enterprise risk management program that focuses around business risks that could impact that company. Cyber risk is no different. Cyber risk is very cross-cutting and allows you to talk about risk at the board level in terms that they can relate to. Things like customer information breaches, which we hear about and read about in the news all the time, impacts to merger and acquisition strategies, financial disclosure documents, these are all risks that companies have, and that you can talk about what you're doing to protect. You also, when you're talking about cyber risk management, shouldn't always focus on the positive, but you should also focus, maybe more predominantly, on the challenges that you have because board members and senior executives, alike, want to help you. They want you to be successful because your success equals success of the company. If a company has a major breach, the company has a major problem. Your role in this is to help understand where those weak points are and help that board, and help the executive leadership of your company manage those risk effectively.

Well, that's it for this week's Whiteboard Wednesday. We'll talk to you next time.

Embracing the Cloud

Learn more about the two roles CISOs need to master to take on cloud computing.

Learn More

Go Phishing

Learn how to encourage your security team to execute a phishing awareness program to reduce attacks at your company.

Read More