Communication from the cybersecurity department to the board should consider their expertise and context – and not use jargon.
Speaking at the NCSC CyberUK Conference in Manchester, Joanna Place, deputy governor and chief operating officer at the Bank of England, said that “security is no different from other areas of expertise in terms of talking to the board.” This involves how much is being spent, what the risks are, if the actions are proportionate, whether there are the right skills and what the context of the issue is.
Place said that the role of the cyber expert is two-fold: to understand the threats and mitigate against them, and also to communicate that in a language that is understandable. “Your job as cyber experts is to tell the board what they need to know, not just answer the questions that they have,” Place added.
“You also need to be understood by each member of your business. If all of the knowledge and expertise resides with the cyber experts only, your business will be very vulnerable, so you need to be a cyber expert and a cyber translator.”
Place said that the board may not be cyber experts, but want assurance of what is being done for cyber-risks. “If they cannot understand what you are saying, they may think that you cannot communicate very well, but they may think that you don’t understand your subject and that will give them cause for concern.”
She also advised speaking the language of risk that the board will understand, using examples that make sense and “making sure they know what they need to know.”
Place also encouraged consideration of how boards receive information, and delivering that in a suitable format. She said that the Bank of England has “cyber translators” and she called on cyber experts to be cyber translators so that “everyone in the business can understand the security risks.”
In conclusion, Place told cyber experts to “take the board on the cybersecurity journey with you,” and give them assurance that you can articulate your knowledge.
“Know your subject, understand the business context and know the audience to whom you are speaking. Get the board and every employee to understand information security and their role in it. By sharing your knowledge you are going to reduce the risk your business faces and you’re going to become a much more effective cyber expert.”