When it comes to the complexity of cyber security, keep it simple

John Powell

Principal Security Consultant


I started my career in IT over 30 years ago. While much has changed in that time, I’m still benefitting from things I learned in those early days.

One of my first observations was how my managers spoke in highly technical language when talking to senior executives. It didn’t take me long to realise that we weren’t communicating as effectively as we could be – occasionally to our detriment.

The foundation of any respectful, beneficial relationship is to connect in a way where each party is heard and understood. IT risk management can be complex, but the language around it shouldn’t be.

Heightening stakes

Cyber security has become a major focus area for Boards, and the stakes for them in terms of their decision making in this area are getting higher due to tougher government legislation and rising expectations from customers, partners, and the public.

However, to get the Board’s buy-in, they need to understand what they are investing in and the deliverables.

In collaboration with other business units such as legal and accounting, these are my three core components to guide boardrooms ethically and effectively:

  • The right legal structures and advice to operate within the law
  • The right financial structures and advice to deliver shareholder equity and remain a going concern
  • The right cyber security structures and advice to protect the information being held

Simplification of language is a key enabler in communicating this and ensuring responsibilities are being met.

Assume nothing when it comes to the level of security knowledge the Board has. Simplifying the language used around cyber security means the Board will have a greater understanding of the organisation’s risk exposure and the steps required to mitigate against it.

Additionally, having a much clearer picture of their security coverage helps Boards to maximise cost efficiencies, as they will not be over-investing in areas that do not require it or under-investing in areas that do.

It’s all in the metrics

Just as company metrics drive growth, cyber security metrics offer insight into the Board’s ROI.

Cyber security metrics should include:

  • Risks that have been realised (and actions to address them)
  • Risks that are outside the organisation’s risk appetite
  • Security posture summary

These cyber security metrics should be communicated in the same straightforward fashion as company metrics, so it is clear what they represent to the business’ risk exposure.

The right expertise to ensure solid security foundations

It’s important to get the foundations of security right. The Board must be fully aware of where the company’s risk profile sits and what their IT security investment covers. This helps avoid anything being overlooked, as could be the case in an overly complex management framework.

If your organisation lacks risk assessment expertise, bringing in external support is always an option. A technical advisory board can share expertise on all matters relating to your business’ IT infrastructure, including your risk profile, and how best to minimise your threat exposure.

Having that expertise on tap can give the Board a greater degree of confidence that any infrastructure investment they make, security or otherwise, is a sound one, and importantly, is fully utilised and offers value.


Make a real difference Speak to an expert