<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

How To Communicate Cyber Risk As A CIO

Kevin Roden | April 24, 2017

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

But today, that has changed. Cyber risk is something more executives are both aware of and informed about—and they expect to get ahead of any issues relating to cybersecurity. Similarly, investors expect to know about a company’s plan to protect itself and its customers or clients from cyber risk.

Below, we’ve highlighted the three most critical areas you should focus on in your cyber risk management process.

Communicating Cyber Risk To Your Investors Reporting-Cybersecurity-To-The-Board

When investors look to purchase stock or shares of a company, they typically examine the corporate filings and investor presentation for details that will help them make an informed decision. While those documents contain a great deal of financial information, they should also provide a high-level overview of cyber risk as it pertains, for example, to privacy and data security.

When you create this information, be sure to focus on your tone. You’ll want to discuss the major risks in your area of business and how your organization looks at and measures them. Having a broad statement that describes why cybersecurity is important to your company will be impactful to investors.

Communicating Cyber Risk To Executive Management & The Board

Many of today’s CIOs and CISOs have stepped into the role of reporting cybersecurity to executive management and the board. Simply put, the board needs to understand where your organization is at in comparison to the rest of the market (including your industry peers, customers, suppliers, and similarly-sized companies) and where you fit into these benchmarks. This arms the board with enough information to understand what changes need to be made and how much it will cost to make those changes.

See Also: What To Include In Your Cybersecurity Board Of Directors Presentation

Communicating Cyber Risk Internally

Once the board has determined your cyber risk benchmarks and where you need to improve as a company, you can identify specific focus areas, initiatives, and projects. These aren’t necessarily detailed, and they could instead focus on a particular theme. For example, those in your organization may decide, “We’re going to improve our information security so that no payment card information is unmasked.” This theme could then be unveiled throughout the organization, and specific projects could branch off from it.

Whatever you do, keep communicating!

The simple fact is, many CIOs and CISOs do not properly communicate cyber risk. As a result, things fall through the cracks. When you focus on proper communication, investors are better equipped with information, board members have what they need to benchmark cyber risk, and team leaders can apply benchmarking data across the organization through projects and initiatives. When you consider all of these areas—and communicate properly to each of them—you’ll see a positive impact in how those associated with your organization see and consider cyber risk.

New Call-to-action

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Subscribe to get security news and updates in your inbox.