How To Communicate Cyber Risk As A CIO

Kevin Roden | April 24, 2017 | tag: Vendor Risk Management

Five to 10 years ago, communicating cyber risk wasn’t just difficult—it was downright rare. CISOs and CIOs were almost never asked to report metrics on cybersecurity to anyone except their direct supervisors.

But today, that has changed. Cyber risk is something more executives are both aware of and informed about—and they expect to get ahead of any issues relating to cybersecurity. Similarly, investors expect to know about a company’s plan to protect itself and its customers or clients from cyber risk.

Below, we’ve highlighted the three most critical areas you should focus on in your cyber risk management process.

Communicating Cyber Risk To Your Investors Reporting-Cybersecurity-To-The-Board

When investors look to purchase stock or shares of a company, they typically examine the corporate filings and investor presentation for details that will help them make an informed decision. While those documents contain a great deal of financial information, they should also provide a high-level overview of cyber risk as it pertains, for example, to privacy and data security.

When you create this information, be sure to focus on your tone. You’ll want to discuss the major risks in your area of business and how your organization looks at and measures them. Having a broad statement that describes why cybersecurity is important to your company will be impactful to investors.

Communicating Cyber Risk To Executive Management & The Board

Many of today’s CIOs and CISOs have stepped into the role of reporting cybersecurity to executive management and the board. Simply put, the board needs to understand where your organization is at in comparison to the rest of the market (including your industry peers, customers, suppliers, and similarly-sized companies) and where you fit into these benchmarks. This arms the board with enough information to understand what changes need to be made and how much it will cost to make those changes.

See Also: What To Include In Your Cybersecurity Board Of Directors Presentation

Communicating Cyber Risk Internally

Once the board has determined your cyber risk benchmarks and where you need to improve as a company, you can identify specific focus areas, initiatives, and projects. These aren’t necessarily detailed, and they could instead focus on a particular theme. For example, those in your organization may decide, “We’re going to improve our information security so that no payment card information is unmasked.” This theme could then be unveiled throughout the organization, and specific projects could branch off from it.

Whatever you do, keep communicating!

The simple fact is, many CIOs and CISOs do not properly communicate cyber risk. As a result, things fall through the cracks. When you focus on proper communication, investors are better equipped with information, board members have what they need to benchmark cyber risk, and team leaders can apply benchmarking data across the organization through projects and initiatives. When you consider all of these areas—and communicate properly to each of them—you’ll see a positive impact in how those associated with your organization see and consider cyber risk.

CISOs Guide To Reporting to the Board

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.