Bridging the Gap Between IT & Leadership: Communicating Cyber Risk to the Board

We’ve all been there, technical teams talking in acronyms, execs focused on KPIs, and somehow the real risks never make it to the right ears. In cyber security, that disconnect can cost more than just confusion, it can lead to business repercussions including reputational damage, operation downtime, financial ramification and overworked IT teams.

In the UK, 86% of directors identify cyber attacks as the most critical cyber risk they face. (Willis, a WTW business)

Departmental Silos Explained:

Whilst no two organisations are identical, there are a lot of similarities when it comes to structure, operations and culture. One aspect we have seen time and time again, unfortunately, is departmental silos.

If you’ve never heard of this term before, we’ve created a simple diagram showing exactly what it is and the problems they cause when it comes to cyber security.

Depending on the size of your organisation and structure, specifically in smaller businesses, the role of the risk and compliance silo is shared out across different departments / roles as they often don’t have a dedicated risk and compliance role.

35.93% of organisations say the Board or CEO drives their cyber risk strategy, whilst  only 20.22% IT department say they are involved. (Willis, a WTW business)

Explaining the Cyber Security Void

The void, an ominous name which is rightly so as problems in these 5 areas can lead to negative consequences.

• Visibility: Throughout our services, resources and blogs, we talk a lot about visibility and that is because it is such a critical component to cyber security. It can take just one security gap to completely devastate your business. Have a look at these two examples: our recent British Library blog and 160-year-old haulage firm that was put out of business by a cyber-attack. A saying someone recently said to us is “We don’t know, what you don’t know”. Each silo has different visibility, so in a lot of cases ‘siloed decision-making’ is occurring without acknowledging the full picture.
• Maximising Existing investment: When it comes to ROI and cyber security, there are a range of problems that become apparent. In some cases, organisations have invested in cutting-edge toolsets, BUT, have not spent the time optimising and configuring them. On the other hand, depending on cyber maturity, some organisations do not   know which areas or tools to invest in. As the cyber security industry is so crowded it can be hard for organisations to make strategic decisions. By taking a holistic approach, many organisations could utilise the vendors or tools already in their tech stack and really maximise the usage, whilst simplifying management.
• Specialist Resource: Unfortunately, there are no silver bullet solutions when it comes to cyber security and a lot of organisations cannot afford all the specialist resources. Within a comprehensive security team, there are a range of specialisms and expertise from networking, patching and SOC analysis. For these individuals, there’s no formally approved body for UK professionals or indeed in any country, creating further problems. If there is one person managing security, it is not fair to expect them know all these specialisms. Whilst not a silver bullet, what can be taken into account is that one service or solution can often plug multiple gaps. By adopting a holistic approach and assessing all your resources, you can work out which risks and security gaps should be your priority and plan the next steps.
• Complacency: When it comes to the silos, a lot can be taken for granted, leading to complacency. Such as, Executives expecting IT to know everything about cyber security and risk and compliance professionals taking answers given in annual pen tests, compliance questionnaires or audits at face value. The reason why so many aspects are taken for granted is due to the lack of communication and overreliance.
• Assurance: Assurance goes hand in hand with the above point, complacency. Commonly organisations aren’t open to changing processes or how ‘things have been done’ overtime. We often hear that there are “roles, processes and procedures in place”, but who is actually checking these? So, not just taking their word for it but fully understanding each departments processes and making sure obligations are being met. In the case of cyber security, the truth is everyone is responsible for it but it has to be driven from the top to become a part of the business culture.

Tips to Bridge the Gaps Between IT and Leadership

You’re probably wondering what you can do to help overcome these challenges and reduce the void in your organisation. We’ve put together five tips to bridge the gap between IT & leadership:

1) Set Clear Boundaries: In a lot of cases, IT teams are put under a lot of pressure, they are expected by leadership and other departments to know everything about technology, including the highly specialised area of cyber security. By fully understanding what skills set, expertise and resources you have internally, plus your current risk posture, you can start to identify what is feasible at your current capacity. At this point, you can start to have clear discussions about the pace of cyber maturity you are able to work at.

2) Focus on Targeted Training and Workshops: Whilst it is reported that 72% say cyber security is high high priority for board members, most of these leaders will have expertise in other specialisms, not cyber security. This is why we run sessions with our customers for board members where we organise regular briefings, tabletop exercises, workshops and roundtable discussions. Initially, these sessions are to provide education and to open communications between members to understand their current security knowledge and risk appetite. With this understanding, you can then lead on to understanding the evolving threat landscape, emerging cyber trends and strategic cyber defences.

63% of organizations cited complex and evolving threat landscape as their greatest challenge to becoming cyber resilient. (World Economic Forum)

3) Adopt an Integrated Risk Management Approach: When the organisation’s risk appetite and security awareness is understood by all parties, joint risk assessments and strategy sessions can be carried out moving forward. Involving both technical experts and board members in these discussions fortifies a collective understanding of cyber threats and aligns responses. Establish routine reporting formats where both board members and cyber security teams can share insights. Scheduling updates demystifies cyber risk by making it a recurring topic on the executive agenda rather than an occasional alarm.

4) Visibility is Important for all: Just ‘knowing’ everything is okay isn’t good enough, all parties need to have a deeper understanding of the risks and how to treat them. As seen in the example with the British Library cyber attack report, one of the lessons they learnt from their experience is to “Maintain a holistic overview of cyber-risk” as larger operational IT risks were disclosed to the board, however low-level but potentially compounding risks were not, this likely helped with attackers being able to move laterally throughout their network. Decision-making needs to be collaborative, this can help with budgeting for specialised resources, services and tools as everyone will understand the benefits and where the improvements are needed.

5) Create a Strategic Roadmap: By framing cyber security updates in the context of the real-world can help members grasp the urgency and relevance of cyber risk management while making informed, data-driven decisions. Set recommended improvements in line with attitude to risk and set SMART objectives (specific, measurable, achievable, relevant, and time-bound), agreeing a risk remediation strategy to take into account corporate objectives, attitude to risk and practical / technical considerations.

6) Reduce False Assurances: It’s often easier to rely on false assurances when it comes to organisations profit growth and fast-paced culture, this is not the way forward. Risks and compliance, IT, executives and other departments all must stop taking each other for granted. There must be open communication and questions must be asked from all sides. By working closely together, security can be strengthened. For example, for Cyber Essentials, IT need to work closely with Risk and Compliance to make sure all questions are answered correctly and manage which improvements are needed for when.

Continuous Real-World Cyber Risk Assurance 

If you are committed to bridging the gap between IT and leadership but need further assistance, Data Connect can help.

We have helped many organisations in this way with vSOC Assure, our comprehensive Cyber Risk Management service. Benefit from the best of both worlds, with access to our powerful vSOC Connect Console and assistance from our expert cyber security team, including our vCISOs. Our service includes all important parties, for instance the Board, Risk and Compliance and IT. By working with IT, we explore your challenges and security aspirations, deciding on the best methods and the most practical way to continually reduce your risk exposure. By taking our holistic approach, you’ll become more aware of complex security threats and have confidence in your operations.

Arrange your introductory call today to find out more.