By 2014, 80 per cent of IT security executives will be required to report risk issues to their board of directors, according to a Gartner security analyst speaking at the Gartner Security & Risk Management Summit in Sydney this week, so how can you make sure the board is listening?
Chris Budge, Divisional Manager, Professional, Executive & Financial – Specialty, Jardine Lloyd Thompson said: “It’s the same with communicating to boards about any issue – not just cyber issues. If it will cost them money, you will get their attention.”
Budge adds: “You need to be factual but straight to the point. Scenarios can help – explain to boards ‘if this were to happen to you, would you be covered for it under your policy?’ This can help to break it down into more understandable concepts instead of getting caught up in insurance jargon. Risk managers tend to speak their own language – try to keep it simple.”
Tips on presenting risks
• Steer clear of any technical language and focus on What It Means
• You have 10 minutes with the board. Use it wisely. Focus on what it means for them. They don't need to know everything. Focus on key problems and solutions. Use your business' language as much as possible.
• Show facts and solutions not just words: demonstrate where you have actually made a difference.
• Make communication relate to the board personally: everyone uses PDA's and mobiles. Create recommendations for the humans on the board and their families for example to use social media responsibly.
• Don’t forget charisma, political savvy and personal presence in these situations. Significant personal executive coaching needs to be undertaken for any professional, security or otherwise, who is wishing to communicate to vast audiences, particularly to make use of their 10 minutes with the board.