As businesses become more digitally empowered with increasingly remote workforces, cyber threats find new ways to breach defenses, increasing the risk to business operations and the bottom line.
We spoke to Head of Cyber Security and Risk, Daminda Kumara and Head of Technology, Strategic Sourcing, Carmen Rusman from Wesfarmers Industrial & Safety, to uncover three practical tips that have helped elevate cybersecurity to a boardroom conversation.
1. It’s not about how well programs are working; it’s how well risk is being managed.
Boards oversee risk, not operations. Daminda, who reports up to the Wesfarmers board quarterly, shared, “Rather than tell them how your cybersecurity program works, show them how (or how well) the risk is being managed.”
From loss of revenue and intellectual property to legal liability and reputational damage, including the cost to resolve, boards of directors bear the ultimate responsibility for the risks associated with a breach. To execute their due diligence, they rely on their organization’s cybersecurity leader to help them understand two things: What are the risks to the business, and how well is the company managing those risks?
To help convey risk management up to the board, Wesfarmers uses a NIST framework to showcase progress and performance. “We aim to simplify our message in two forms: visually, with a traffic light assessment and numerically, with a percentage measurement, against each KPI. This way we can showcase how effectively risk is being managed and quickly highlight how we will get from red to green.”
2. Connect the dots between Cyber Risk and Commercial Risk.
"At the end of the day, cyber risk is business risk.” For Daminda, a key strategy for highlighting business risk is through storytelling. “If you talk to the board about a ..
Support the originator by clicking the read the rest link below.
