Reporting to the Board

Is Your Cyber Security Communication Strategy Effective?

Brian Thomas | September 21, 2020

One of the more challenging aspects of third party risk management is effectively communicating risk. Often the risks posed by vendors are highly technical, and it can be tempting to simply put together a slide or list to review with business owners, executives or board members. But this can often create an obstacle to buy in, as few people have the expertise to understand what these risks mean. 

Here are a few ways that risk summary can help you enable the business, reduce risk in your third party risk program, and create operational efficiencies that will help your program save time and cost, as well as scale to meet the demands of the business.

Know Your Audience

The list of stakeholders that should be involved in cybersecurity conversations can include senior leadership, board members, business partners, and at times your investors. Each stakeholder might have different levels of understanding when it comes to cybersecurity, so you can’t discuss your program and metrics the way you’re familiar with. Senior leaders are involved in the decisions regarding headcount and budgeting for TPRM teams, so finding simple and effective communication techniques that work for your leadership group is important to make sure your team is receiving the resources you need.

Where Miscommunication Leads To Gaps

When working consistently within the third-party risk business it is easy to forget how confusing security metrics can seem. TPRM leaders often rely too much on technical terms and jargon when presenting their security data to the board, which can lead to frustration. If the security team doesn’t pay attention to this, it can create a divide from the leaders they are hoping to gain support and resources from.

How To Fix Miscommunication

So how can cybersecurity professionals avoid the negative impacts of miscommunication when interacting with the company stakeholders? Taking a step back from the specifics of how their cybersecurity efforts are performing at the detailed level, TPRM leaders need to connect their team’s initiatives back to how they impact the organization’s goals as a whole. 

Provide The Right Context

As mentioned briefly before, contextual details behind the information you’re presenting to the board is key to ensuring that the information is understood and applied correctly in the decision-making process. It can be helpful to include contextual information like:

  • How a vendor ranks compared to an industry average instead of blanket vendor security scores with nothing to compare them to.
  • Details around the company policy for minimum scores allowed by your vendors. It can be helpful to show where your vendors, especially the most critical ones, fall compared to where the company requires them to be.
  • If a vendor has a dip in their score, is this representative of their historical performance?
  • A general, high-level overview of what actually occurs during the malicious activity in question can help set the scene for what happened to cause a vendor’s score to dip. Be careful to avoid over-using cybersecurity jargon that will confuse those not familiar with third-party risk analysis.

Advance Your Business With Tactical Reasoning

It can be more effective to take it one step further and break down the report at a tactical level. Demonstrating risk associated with a vendor’s security by the specific ways malicious activity could take place can give a more comprehensive and realistic picture of the path malicious actors can take. This is particularly important when it comes to getting board support for vendor changes or renegotiating business contracts. When you are looking for efficient approvals, showcasing the tactical steps taken to reach each decision in plain language will result in faster participation from the board and allow you to maintain a productive TPRM program.

Take The Strategic Approach

The board will care about the strategic advantage vendors bring to your company as well, specifically if the vendor’s cybersecurity posture will positively or negatively impact your vendor portfolio by partnering with them. Being able to communicate portfolio risk to the board and senior leadership can help justify decisions, such as when the security team wants to rethink vendor strategy. This is important in the current, changing environment where companies have to evolve their processes surrounding third-party risk in order to stay protected from malicious actors.

Want to learn how you can use risk communication as part of your overall strategy to make your vendor lifecycle?

Download our guide to find out.

3 Ways to Make Your Vendor Lifecycle More Efficient

Suggested Posts

Is Your Cyber Security Communication Strategy Effective?

One of the more challenging aspects of third party risk management is effectively communicating risk. Often the risks posed by vendors are highly technical, and it can be tempting to simply put together a slide or list to review with...

READ MORE »

6 Cybersecurity KPI Examples for Your Next Report

While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...

READ MORE »

BitSight EXCHANGE Sound Bites: Reporting to the Board

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all...

READ MORE »

Subscribe to get security news and updates in your inbox.