Cyber Risk Communication Strategies for Boards

Sometimes 3 Minutes is All You Get… What are you going to say in those 3 minutes? In many Board meetings, 57 plus minutes of the 60-minute meeting is focused on financial data… Who generally goes last? In my experience, it’s the CISO… So, I’ll ask again -> What are you going to say in those precious 3 minutes? How do you make the most of this incredibly short time? Here’s my approach – Be Concise and Clear. I start with a clear & compelling headline that captures my main point. AVOID jargon, acronyms, and speak plainly. ->Example – “We barely missed a major security incident last week that could have caused a $5M disruption to our widget workflow, and we need your attention and your help…” Prioritize Key Messages. I identify the 1 key message that I want to convey. ->Example – “The near-miss incident involved a critical third-party vendor…” Never Underestimate Preparation – But Remain Flexible. Have a plan but be ready to pivot based on the Board’s reactions and questions. READ THE ROOM! …Avoid overwhelming them with data. End with a Call to Action. Clearly state what is needed from them - approval, support, resources - and then focus on action.  Be crystal clear on the ask or the decision needed from them. ->Example – “We need $200K for a tool that will help us better evaluate critical 3rd parties and mitigate millions of dollars in risk…any objections?” HINT-> Use "we", not "I". We're all in the risk boat together... Don’t Forget the Follow-Up. I typically send a BRIEF bullet point email summarizing key points and next steps. This reinforces my message and provides a reference. It's NOT about the quantity of time, but the quality & clarity of your communication. Would love to hear your experiences and tips on this topic! #ciso #board #security #cybersecurity #riskmanagement

The Allianz Life breach just handed every CISO a boardroom playbook 📋1.4 million customers affected. Third-party CRM compromised. Social engineering attack. Sound familiar? Here's what I'm telling boards TODAY: 🎯 Stop playing vendor roulette. Your risk surface isn't your infrastructure—it's your entire ecosystem. That "low-risk" CRM vendor? They just became your biggest liability. 🧠 The human firewall is broken. Social engineering works because we're human. Your employees aren't the weakest link—they're being weaponized against you. Train accordingly. ⚡ Governance isn't optional anymore. Board members are thrust into cyber decisions they don't understand. Clear oversight responsibility and communication protocols aren't nice-to-haves—they're survival tools. 🔗 Everything is connected (including your problems) Remember CrowdStrike? Systemic risk doesn't need hackers—just interdependence. Digital transformation drives revenue, but it also amplifies risk across your entire business. 💼 The SEC raised the stakes New Form 8-K Item 1.05 = 4 business days to disclose material cyber incidents. No more "we're investigating" delays. Boards now face immediate financial and reputational consequences. Translation: Every breach is now a potential #stock price event. Every board conversation about #cyber #risk just became a fiduciary duty discussion The bottom line: Boards that understand cyber governance will thrive. Those that don't will become case studies. Your move, #leadership team. 👑 How is your board handling third-party cyber risk? #CEO #KSgems #KhwajasTake #Cybersecurity #BoardroomLeadership #ThirdPartyRisk #CISO

Interesting article by The Wall Street Journal's James Rundle and Kim Nash about crisis communications during and following a serious cyber incident. From my experience, secure, compliant, and resilient organizations are always ready for their CEO to honestly and unequivocally communicate the following facts about their enterprise cyber risk management (ECRM) program: · Our board has been and is proactively engaged in ECRM. · Our board has adopted and communicated strong governance principles which require a risk-based (not checklist-based) approach to ECRM. · Our Executive Team is responsible and accountable for ECRM, and we have formed a cross-functional team of leaders across the organization to execute our ECRM strategy. · We have adopted the NIST Cybersecurity Framework (a non-proprietary, open framework) and use it as the basis for our ECRM program. · We have implemented the internationally-recognized NIST process for ECRM (NIST Special Publication 800-39 and NIST Special Publication 800-37). · We regularly engage with our liability insurance brokers to inform our risk transfer and retention decisions. · To ensure progress and continuous process improvement of our ECRM program, we monitor all changes in our program, measure our program maturity annually, and execute continuous improvement plans. · Recognizing the dynamic nature of cyber risks, we conduct ongoing cyber risk and opportunity assessments · We execute risk management and opportunity leverage plans to ensure maximum business value and competitive advantage is gained from our ECRM program. Is your organization ready to communicate all the above items about your ECRM program? #riskmanagement #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors https://lnkd.in/gt6yzXWn

In an article last year for Foreign Affairs Magazine (https://lnkd.in/ggFTEU3z) on how to catalyze a sustainable approach to cybersecurity, Eric Goldstein & I emphasized that in every business the responsibility for cybersecurity must be elevated from the IT department to the CEO and the Board. As we noted, the trend is moving in the right direction: In a survey conducted by NACD (National Association of Corporate Directors), 79% of public company directors indicated that their Board’s understanding of cyber risk had significantly improved over the past two years. The same study, however, found that only 64% believed their Board’s understanding of cyber risk was strong enough that they could provide effective oversight. To improve those numbers, CEOs & Boards must take ownership of cyber risk as a matter of good governance. This is largely a cultural change: where cybersecurity is considered a niche IT issue, accountability will inevitably fall on the CISO; when cybersecurity is considered a core business risk, it will be owned by the CEO and Board. Recognizing that Board members in particular have special power to drive a culture of "Corporate Cyber Responsibility," I asked my Advisory Committee to make recommendations on how to advance such a culture. The effort, led by Dave DeWalt, highlighted several key points: Board members should be continuously educated on cyber risk, with cybersecurity considerations appropriately prioritized in every business and technology decision, and decisions to accept cyber risk scrutinized and revisited often. Boards should also ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; “near misses” should be reported along with successful intrusion attempts, as much can be learned from them. In addition, Boards should ensure that adequate long-term security investments are available to address the safety consequences of antiquated technology with new investments focused on technology that is #SecureByDesign. Finally, Board members should ensure that CISO's have the influence & resources necessary to make essential decisions on cybersecurity, with decisions to prioritize profits over security made both rarely and transparently. The Committee also recommended developing a Cybersecurity Academy for Board Directors & set about establishing a pilot program, which was held yesterday at the U.S. Secret Service Training Center (https://lnkd.in/eVSzP_sx). Huge thanks to my teammate Kimberly C. for her partnership, as well as the awesome Ron Green for driving this effort with Dave & Katherine Hennessey Gronberg, and the great NACD team, led by Peter Gleason. Am super grateful to the Board Directors who participated in this inaugural effort and look forward to their feedback so we can further scale the program.