Auriga Consulting Ltd (Auriga), recently warned that cyber risk continues to be poorly communicated to C-suite executives. The monopolisation of the risk management function by IT and security consultants and poor knowledge transference through the use of jargon, acronyms and buzzwords is frustrating efforts to move risk into the board room. This misinterpretation of risk is endangering the decision making process and ultimately future economic development. To counter this, Auriga recommends risk should be treated as a strategic dynamic process and a dialogue created and maintained with the board, with risk regularly assessed and the risk register adjusted accordingly.
Communication from the IT team to the board is essential in ensuring risk is understood, managed and acted upon effectively. According to a recent survey of large and medium sized businesses in the UK, board level ownership of cyber risk numbers just 19.4 percent, and only 16.6 percent place cyber risk in the top five on the risk register, despite the severity a realisation of cyber risk poses. To overcome obstacles in communication, risk needs to be:
· Couched in business terms that lay out risk as a strategy, with business impact analyses, projection forecasts and outcomes, and with repercussions explained;
· Referenced to people and processes within the organisation to provide a business context and not just a technological one;
· Appraised without self-censorship, such as the desire to protect existing processes or budgets, as a bias could affect the perception of risk;
· Supported by an education program which aims to improve the board’s cyber awareness now and in the long term.
In a recent interview with The Telegraph Business Leaders, Louise T. Dunne, Managing Director at Auriga, states: “there is a knowledge gap when it comes to translating cyber risk into business language for business leaders… but a third party can help bridge that gap. Developing an inhouse capability, looking at what you need, how you are going to deliver it and doing a sanity check to see if what they are delivering is appropriate and is going to provide you with the defense you need can take you away from your core business. And that’s where a third party comes in because they are focused on and offer undiluted risk management expertise enabling them to communicate threats relevant to your business.”
Jamal Elmellas, Technical Director at Auriga adds: “I have not met one business leader that isn’t highly educated and knowledgeable about risk management and the threat cyber poses to their businesses. It’s the specialists who lack the ability to translate cyber and its risks into business language that the leaders can understand and see value in. Translating cyber threats into corporate risk management and business enabling remediation is a skill set only few are able to achieve.”
To see the full interview with The Telegraph Business Leaders please go to: http://business-reporter.co.uk/video/finance/bridging-the-cyber-divide/
For further advice on communicating risk management to the board see: http://www.aurigaconsulting.com/management-systems.php
GCHQ also provides further guidance on Board Level Responsibility and how to adopt an enterprise-wide information risk management regime: https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-a-board-level-responsibility