Business leaders and cyber experts can defeat online threats – but only if they work together

Against a backdrop of escalating geopolitical tensions, the rise of hybrid working and the demand from employees to stay connected anytime, anywhere, organizations are facing a particularly challenging task in managing their cyber risks.

For banks, this means that the traditional three lines of defence model of risk management is coming under as much pressure as it ever has: The first line means the Chief Information Security Officer (CISO) owns and manages risk; the second line means the Chief Information Security Risk Officer (CISRO) provides challenge and oversight; and the third line offers independent assurance. Given the interconnectedness of the financial sector, and its status as a target for threat actors, it is critical that we continually seek to enhance our resilience and ensure the sustainability of our controls.

Engagement between the chairman of the board and the CISRO is thus important, as the latter needs to provide confidence to the former that the organization is appropriately managing its cyber risk. Despite its rising importance, however, many board directors still find cybersecurity a complex topic that sits outside of their experiences. Honest and regular communication between the two can help bridge this gap.

CISROs and their leadership teams can help by storytelling: breaking down complicated cybersecurity concepts into bite-sized updates, such as providing governance papers and briefing notes that convey the relevance to the business of risk reduction initiatives or regulatory changes.

Inherent in cybersecurity is a certain level of technicality and complexity, but it is crucial that cyber leaders communicate with impact and influence, and harness the ability to translate the technical into the understandable, so that board directors are able to question with insight and perform their role more effectively.

There are practical steps to help nudge governance committee members into engaging more effectively with cyber risk. For example, creating repeatable templates that can be used for paper submissions; developing headline messages that can be amended and updated for each session; and also asking questions in plain English: “What went well?”, “What could have gone better?” and “What are the business implications?”

Though this can be a challenge for those immersed in directly addressing complex technical challenges in the business, providing this strategic view allows board members to use their experience as business leaders to interrogate cyber using knowledge from other risk types.

To enable boards to ask stretching, hard-hitting questions, tailored awareness sessions can allow them to effectively understand business implications, risk appetite metrics and risk reduction goals. And while internal expertise will produce business relevant materials and scenarios, insights from external sources – whether industry round tables, or an expert “cyber advisor” – are crucial for maintaining knowledge of best practice and norms.

Aligned to the refreshed WEF’s Principles for Board Governance of Cyber Risk, Standard Chartered has in recent years made use of a regular internal forum for board directors to undertake guided discussions on topical aspects of cyber risk. Creating an environment in which the key stakeholders across the three lines of defence are present and in which all questions are welcomed, and facilitated by an experienced cyber expert, the forum has proved an effective way to build board expertise, complemented by a broader array of engagement and awareness activity.

A blended approach is taken to these programmes: strategic and long-term rather than reactive in outlook, focusing on broader technological and business-relevant developments while also referencing recent high-profile breaches or incidents in the sector and third parties, which are often already on the radar of board members.

Outside of these formal interactions, cyber leaders must be thoughtful and conscious leaders in the business, and push to create a cyber-aware culture within the organization.

A strong culture allows senior business leaders to move away from merely “setting the tone from the top”, instead inculcating a cyber risk-conscious mindset to a receptive organization that no longer needs to be persuaded of the importance of cybersecurity. This helps to naturally build cyber risk into daily thinking and actions. Embedding this way of thinking from the bottom up, complementing the top-down messaging, will bolster the cyber resilience of organizations in the long-term.

Ultimately, it is important that a constructive, challenging relationship exists. For the CISRO, communication to the board needs to be transparent, tailored and translatable. Achievements and failures must be described in an accurate and balanced, business-focused way. Reports to the board must be tailored for the specific forum and context; and reports should offer the “So what?”, linking risks to the overall goals of the business. For banks and those in the financial services sector, ensuring the regulatory angle is well-covered is also key.

For the chair, the key is to approach the topic with curiosity. This ability helps continue the honest conversation, build understanding of cyber concepts and focus areas, whilst pushing cyber teams to remain committed to appropriately managing the risk. Bringing all of this together should be a compelling strategic vision for cybersecurity, which will set both the long-term direction and short-term priorities for the organization. The chair and CISRO can then ensure that this is aligned to business needs, positioning cybersecurity as integral to future success.

'Widespread cybercrime and cyber insecurity' is one of the top 10 global threats, as per the Global Risks Report 2023. Read the report for more details.