Vendor Risk Management

How To Communicate Cyber Risk As A CIO

Kevin Roden | April 24, 2017

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

But today, that has changed. Cyber risk is something more executives are both aware of and informed about—and they expect to get ahead of any issues relating to cybersecurity. Similarly, investors expect to know about a company’s plan to protect itself and its customers or clients from cyber risk.

Below, we’ve highlighted the three most critical areas you should focus on in your cyber risk management process.

Communicating Cyber Risk To Your Investors Reporting-Cybersecurity-To-The-Board

When investors look to purchase stock or shares of a company, they typically examine the corporate filings and investor presentation for details that will help them make an informed decision. While those documents contain a great deal of financial information, they should also provide a high-level overview of cyber risk as it pertains, for example, to privacy and data security.

When you create this information, be sure to focus on your tone. You’ll want to discuss the major risks in your area of business and how your organization looks at and measures them. Having a broad statement that describes why cybersecurity is important to your company will be impactful to investors.

Communicating Cyber Risk To Executive Management & The Board

Many of today’s CIOs and CISOs have stepped into the role of reporting cybersecurity to executive management and the board. Simply put, the board needs to understand where your organization is at in comparison to the rest of the market (including your industry peers, customers, suppliers, and similarly-sized companies) and where you fit into these benchmarks. This arms the board with enough information to understand what changes need to be made and how much it will cost to make those changes.

See Also: What To Include In Your Cybersecurity Board Of Directors Presentation

Communicating Cyber Risk Internally

Once the board has determined your cyber risk benchmarks and where you need to improve as a company, you can identify specific focus areas, initiatives, and projects. These aren’t necessarily detailed, and they could instead focus on a particular theme. For example, those in your organization may decide, “We’re going to improve our information security so that no payment card information is unmasked.” This theme could then be unveiled throughout the organization, and specific projects could branch off from it.

Whatever you do, keep communicating!

The simple fact is, many CIOs and CISOs do not properly communicate cyber risk. As a result, things fall through the cracks. When you focus on proper communication, investors are better equipped with information, board members have what they need to benchmark cyber risk, and team leaders can apply benchmarking data across the organization through projects and initiatives. When you consider all of these areas—and communicate properly to each of them—you’ll see a positive impact in how those associated with your organization see and consider cyber risk.

New Call-to-action

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.