Talking to the board about cyber security by engaging each stakeholder

The Chief Executive Officer (CEO)

The CEO has a lot of influence on how the rest of the board and wider business embrace security, so it is important to ensure the CEO is brought in to help foster a security culture. You can focus discussions with the CEO on the potential impact that security incidents could have on brand reputation, customer trust, revenue loss and risk management. This will help them to understand the business impact of cyber breaches. Once they understand this, you can offer recommendations on effective security strategies and help executive communications to cascade priorities across business units.

The Chief Financial Officer (CFO)

Your CFO is responsible for businesses expenditure as well as business profit, therefore they will have input in the budget allocation for cyber security. They’ll naturally be more interested in proposed investment vs incident response expenses (downtime, overtime pay for incident response teams & PR for reputation repair). It will help to outline options with cost-benefit comparisons and industry data points or case study examples where security programs, or lack thereof, demonstrate a huge business expense. If you’re up against the ‘but we have cyber insurance’ stance, you can share benchmark data on cyber premiums and demonstrate how robust security controls can help to not only minimise spend, but better protect the organisation against cyber threats.

The Chief Information Officer/ Chief Technical Officer (CIO / CTO)

The CIO/CTO plays a vital part in the cyber security discussion because they understand the technical side of things. These thought leaders can provide valuable insights into not only vulnerabilities and emerging risks, but also the tech stack used in the business and the impact of any new security protocols on current development. This person will be able to influence the adoption of secure by design and help to embed a security culture within development and product. It will therefore be beneficial to understand where they could foresee any stumbling blocks in the implementation of your security strategy.

The Chief Marketing Officer (CMO)

The CMO is responsible for overseeing the company’s marketing initiatives which will likely include customer and sales data that could be sensitive if breached. They are involved in conversations when it comes to the implementation of security measures to protect this data, manage access controls and permissions, as well as establishing protocols when sharing data with third party marketing tools and agencies. When speaking to the CMO make it clear that any marketing content and campaigns need to comply with data protection regulations to avoid violations from improper data collection or use, and how important this is for the brand-customer relationship. Share case studies about companies that faced big losses because their security got breached. You want to demonstrate how good cyber security supports marketing initiatives.

The Board Chair / Lead Director

The board chair/lead director is responsible for setting the tone at the top for transparency, accountability and alignment across all critical areas of the business. They will ensure that the organisation is adhering to compliance rules and that cyber security is receiving appropriate executive attention and strategic consideration. To get them on board you need to frame the conversation through a corporate governance, fiduciary duty and risk oversight lens. You should discuss regular schedules and timelines for security reporting, tabletop testing and preparedness but also educate them on the requirements for compliance such as GDPR, PCI DSS, ISO 27001 and HIPPA. This will help shape goals for overseeing the organisations cyber readiness as well as actions and deadlines needed for risk assessments, audits, insurance, breach disclosures and the need to stay up-to-date with current threats.

Tips for addressing the full board

When presenting to the entire board and C-Suite, keep these tips in mind:

• Simplify explanations and avoid technical jargon. Analogies and metaphors are a good way to help people understand complex security concepts.
• Back up key points with credible third-party data and statistics. This lends validity and highlights that threats are industry-wide, not theoretical.
• Spotlight recent cyber incidents at competitor firms to make the risk tangible and real. These examples demonstrate that no company is immune.
• Emphasise cyber security is about managing risk, not eliminating it altogether. A sound strategy reduces risks to accepted levels.
• Offer options with cost-benefit analysis tied to business objectives. This enables insightful discussions on priorities, trade-offs and budget.
• Share improvement recommendations that target specific security gaps or vulnerabilities uncovered during assessments.
• Provide clear metrics, reports, and scorecards to continuously measure security posture over time.
• Solicit advice from board members given their expertise in governance, risk management, brand reputation, finances, and operations.
• Welcome tough questions and alternative perspectives. This ensures all aspects are weighed when making cyber security decisions.