When it comes to alerting C-suite executives about cyber-risk, IT and security professionals are still doing a terrible job, bogged down in technical jargon and a lack of business context.
According to Auriga Consulting, the problem starts with the monopolization of the risk management function by IT and security consultants. According to a survey of large and medium-sized businesses in the UK, board level ownership of cyber risk numbers just 19.4 percent, and only 16.6 percent place cyber risk in the top five on the risk register, despite the severity a realization of cyber risk poses.
This means that communication from the IT team to the board is essential in ensuring that risk is understood, managed and acted upon effectively. But compounding the problem is poor knowledge transference (especially the aforementioned use of jargon, acronyms and buzzwords). This misinterpretation of risk is endangering the decision making process and ultimately future economic development.
Instead, the firm said, risk should be treated as a strategic dynamic process, with a dialogue created and maintained with the board where risk is regularly assessed and adjusted.
To bridge the knowledge gap, risk should be couched in business terms that lay out risk as a strategy, with business impact analyses, projection forecasts and outcomes, and with repercussions explained. It should also be referenced to people and processes within the organization to provide a business context and not just a technological one.
The desire to protect existing processes or budgets can add bias to the perception of risk, so any discussion should be supported by an education program that aims to improve the board’s cyber awareness now and in the long term.
“I have not met one business leader that isn’t highly educated and knowledgeable about risk management and the threat cyber poses to their businesses,” said Jamal Elmellas, technical director at Auriga. “It’s the specialists who lack the ability to translate cyber and its risks into business language that the leaders can understand and see value in. Translating cyber threats into corporate risk management and business enabling remediation is a skill set only few are able to achieve.”