Vendor Risk Management

How To Communicate Cyber Risk As A CIO

Kevin Roden | April 24, 2017

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

But today, that has changed. Cyber risk is something more executives are both aware of and informed about—and they expect to get ahead of any issues relating to cybersecurity. Similarly, investors expect to know about a company’s plan to protect itself and its customers or clients from cyber risk.

Below, we’ve highlighted the three most critical areas you should focus on in your cyber risk management process.

Communicating Cyber Risk To Your Investors Reporting-Cybersecurity-To-The-Board

When investors look to purchase stock or shares of a company, they typically examine the corporate filings and investor presentation for details that will help them make an informed decision. While those documents contain a great deal of financial information, they should also provide a high-level overview of cyber risk as it pertains, for example, to privacy and data security.

When you create this information, be sure to focus on your tone. You’ll want to discuss the major risks in your area of business and how your organization looks at and measures them. Having a broad statement that describes why cybersecurity is important to your company will be impactful to investors.

Communicating Cyber Risk To Executive Management & The Board

Many of today’s CIOs and CISOs have stepped into the role of reporting cybersecurity to executive management and the board. Simply put, the board needs to understand where your organization is at in comparison to the rest of the market (including your industry peers, customers, suppliers, and similarly-sized companies) and where you fit into these benchmarks. This arms the board with enough information to understand what changes need to be made and how much it will cost to make those changes.

See Also: What To Include In Your Cybersecurity Board Of Directors Presentation

Communicating Cyber Risk Internally

Once the board has determined your cyber risk benchmarks and where you need to improve as a company, you can identify specific focus areas, initiatives, and projects. These aren’t necessarily detailed, and they could instead focus on a particular theme. For example, those in your organization may decide, “We’re going to improve our information security so that no payment card information is unmasked.” This theme could then be unveiled throughout the organization, and specific projects could branch off from it.

Whatever you do, keep communicating!

The simple fact is, many CIOs and CISOs do not properly communicate cyber risk. As a result, things fall through the cracks. When you focus on proper communication, investors are better equipped with information, board members have what they need to benchmark cyber risk, and team leaders can apply benchmarking data across the organization through projects and initiatives. When you consider all of these areas—and communicate properly to each of them—you’ll see a positive impact in how those associated with your organization see and consider cyber risk.

New Call-to-action

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.


Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.


A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...


Subscribe to get security news and updates in your inbox.