Effectively Communicating Cyber Risk With Business Leaders

Written by: Jeffrey Wheatman- Fobes Council Member

SVP, Cyber Risk Evangelist at Black Kite. Esteemed journalist Sydney J. Harris once said, “The two words 'information' and 'communication' are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.” To excel as communicators, we need to be able to “get through” to our audience.

In the cyber risk realm, security and risk management leaders often miss the mark when it comes to communicating with their business counterparts. Because technical understanding doesn’t easily translate to communication, they struggle to connect the dots with business stakeholders—causing a significant disconnect. Cyber and risk leaders must craft their communication to resonate with a business audience. Although technical jargon like “ransomware,” “patching,” ”zero-day,” “third-party breach” and “bot” might not capture their audience’s interest right away, linking these topics to how they impact the bottom line or customers can make business leaders more receptive. Technical messages from cyber and risk leaders can be delivered clearly, concisely and effectively by adhering to the following best practices.

Understand the risk appetite of the audience.

Risk appetite refers to the extent of risk an organization is prepared to tolerate in pursuit of its strategic goals. Recognizing that operating without any risk is unrealistic, organizations engage in a delicate balance between accepting certain risks and mitigating others whenever possible. Often categorized as high, low or risk-neutral, risk appetite guides decision-making and resource allocation to align with organizational objectives. A company with a high-risk appetite may be looking to make large acquisitions (i.e., high risk, high reward), while such an objective may not be in the cards for companies that are low or risk-neutral.Before presenting to business leaders, security and risk teams must understand their organization's risk appetite to effectively communicate updates and offer actionable recommendations. Does leadership already have a defined risk appetite? What stakeholders are involved in the decision under consideration? Collaborating with the relevant parties to determine risk appetite will help define the terminology and taxonomy and link security risk appetite with enterprise objectives, helping ensure alignment right from the start. Understanding risk appetite can help bridge the divide between a technical team and the organization's business leaders, fostering stronger connections between risk management and overall business objectives.

Become an effective storyteller.

Effective storytelling aims to achieve three primary objectives: informing and educating, influencing decisions and altering behaviors. When executed correctly, storytelling can powerfully convey your objectives to get key points across and connect with an audience. Practice is paramount in refining storytelling skills. Consistent rehearsal enhances presentation delivery.

One way that cyber and risk professionals can enhance their storytelling skills is by crafting concise one-pagers to streamline messaging that helps prevent tangents and ensures directness in presentations. It’s also helpful to develop easy-to-articulate analogies that will resonate with your audience. For example, when speaking about the impact of third-party breaches, you could say, “A third-party breach operates much like a virus coursing through a school. It begins with an initial carrier, who unwittingly passes it on to others. Subsequently, these newly infected individuals become carriers who can spread the virus, creating a cascade of compromise across the community.” This helps put potentially unfamiliar ideas in terms the audience can relate to, giving them a better chance to resonate with your message.

Include qualitative elements.

Although quantitative evidence holds significance, there are also qualitative drivers that motivate decision-making. Customer impact, company image and market trust are all crucial points to consider when communicating with non-cyber stakeholders. They need to know how technology purchases, security posture and other major decisions can affect these areas. Consider using scenario planning to pinpoint trends and effectively demonstrate the consequences of both actions and decisions not to act. This approach helps clarify the audience's motivations and preferences.

Keep in mind, however, that these points can be emotionally charged. When discussing sensitive topics, it's beneficial to road-test the approach with a smaller group to ensure that it's likely to be well received by the larger group. Appealing to emotions can make for more compelling discussions, but tread carefully, and try to avoid over-indexing on fear, uncertainty and doubt.

Master speaking on a business level.

Cyber and risk professionals can effectively communicate with non-technical leaders by tailoring their approach to frame information in terms that align with business priorities. Framing topics in terms this audience understands will inevitably spark action within the leadership team.

Several helpful tactics to master business-level conversations include:

• Piloting Your Messaging: Before crafting your presentation, it's a good idea to engage with a relevant industry expert to test your messaging. This enables you to gauge likely audience reactions, identify resonant themes and refine your key points for maximum impact.

• Presenting Mindfully: When presenting to business leaders, don’t assume they're familiar with your technical references. Pause periodically during your presentation to check if the information is clear and useful to them, and encourage questions to ensure clarity and engagement. Also, ensure that you have credible sources to back up what you're presenting, and provide credible third-party validation to your messaging.

• Enrolling In Free Business Classes: Many organizations provide complimentary business training opportunities that leaders can leverage. Harvard University, Coursera and edX offer courses that cyber and risk leaders can take to enhance their business communication skills and learn what the C-suite really cares about.

Bridging the gap between technical roles and business leaders is often a challenge. Although security and risk teams hold crucial data about an organization’s risk levels, it’s important that they convey this data in a way business leaders understand so they can prioritize and take action immediately when necessary. Understanding the business’ risk appetite, taking steps to become an effective storyteller, remembering to incorporate qualitative elements and learning how to speak business leaders’ language will help ensure effective, open communication for greater business success.

How to get your CFO to buy into a better model for IT funding

written by: by Lorraine Longhurst

Digital success requires a product-based approach to IT — and a shift to persistent rather than per-project funding. Here’s how to address your CFO’s concerns about costs and risks.

CFOs want certainty when it comes to spend. And they want to know exactly how much return on investment (ROI) can be expected when IT leaders make technology-related changes.

Meanwhile, CIOs want certainty when it comes to funding. Continuous and dependable funding facilitates IT leaders’ ability to deliver leading-edge technology solutions while not increasing technical debt. 

Modern digital organisations tend to use an agile approach to delivery, with cross-functional teams, product-based operating models, and persistent funding. In contrast, traditional organisations use a project-based approach to delivery, with temporary teams created on an as-needed basis for a specific purpose with budgets based on up-front funding estimates.

CFOs have grown comfortable with the traditional project-based approach, through which they believe they get a better handle on spend certainty and a better sense of ROI. But to deliver transformative initiatives, CIOs need to embrace the agile, product-based approach, and that means convincing the CFO to switch to a persistent funding model.

Persistent funding, also known as perpetual funding, provides IT teams consistent funding on an annual rather than per-project basis. It empowers them to better consider long-term impact as well, enabling them to tackle technical debt and improve IT processes as necessary — activities often not addressed by project-based funding unless proposed separately.

For CFOs, persistent funding can raise concerns. This article explores how CIOs can address each of their CFO’s key concerns when moving away from project-based teams to persistent funding, including the need to better track ROI, reduce risk, and reduce cost.

How does persistent funding improve the ability to track ROI?

We can all appreciate a detailed project plan for the right type of project. If the scope is clear and easy to define up-front, it’s a great way to keep everyone on track and ensure teams are delivering to budget.

For work involving more complexity, such as app development or the creation of data insights, a traditional project plan provides a false sense of security because it gives the impression of certainty around the timing of delivery milestones.

To illustrate the benefits of shifting to a persistent funding model, I will draw on my experience working with Jeremy Hubbard, chief technology and data officer at Rest, a Sydney-based profit-to-member superannuation fund with more than 2 million members.

In early 2023, Hubbard knew Rest needed an ambitious new technology roadmap to enable the implementation of its strategy to make the superannuation experience simpler. He brought on my firm, Enablement Consulting, to assess the situation and then work with Hubbard and his team to implement a persistent funding operating model at Rest.

“The persistent funding operating model increased our productivity dramatically at previous organisations,” says Hubbard in discussing his motivation behind the change. “I needed an outside perspective on whether it was well-suited to the environment at Rest and how to get started.”

When we introduced persistent funding at Rest, we changed the focus to ‘why’ rather than ‘what.’ The persistent teams used a benefits delivery roadmap, which outlined the SMART benefits to be delivered throughout the year. This approach enabled Finance and business stakeholders to use data insights to see the metrics move as the year progressed.

Here is a fictional digital banking example that highlights how a persistent team might tie its initiatives to organisational SMART objectives:

Specific: Increase the number of active users on our mobile banking app

  • Measurable: Achieve 5% growth in active user numbers

  • Achievable: By enhancing app features based on customer feedback

  • Relevant: Increasing active users will help us reach strategic goal of improving customer engagement

  • Time-bound: 5% growth in active users to be achieved within the next 9 months

Taking an approach like this worked well at Rest because the executives had defined SMART objectives to execute the strategy and align to members’ best financial interests. Every high-level initiative the persistent teams plan to work on must provide a clear benefit aligned to the organisational strategy.

The use of the benefits delivery roadmap enabled Rest CFO John O’Sullivan to understand exactly what benefits were delivered throughout the year, helping him to understand the ROI for the team. A quarterly forum was introduced to govern the teams’ costs and track the realisation of benefits identified for each initiative.

“For us to agree to funding for the year ahead, we needed a better way to show how the persistent teams would enable us to deliver the benefits identified in the strategy,” O’Sullivan says. “We made use of the organisational balanced scorecard and the associated metrics tracked in our quarterly business performance reporting.”

How does persistent funding reduce risk?

In traditional funding models, new ideas require a detailed business case that involves significant up-front analysis and design work. This approach often leads to the mistaken belief that it reduces the risk of budget overruns. 

However, as most are aware, too much emphasis on upfront design can actually increase risk because oftentimes issues are not uncovered until the team starts development.

To ensure persistent teams stay within budget, and thereby reduce risk, it’s crucial that executives understand the fundamental agile principles related to flexible scope and fixed budget. 

Sometimes, management needs to make a change in direction, and persistent teams allow for this. By using data insights from the quarterly business performance report, the CFO is made aware of situations where the organisation is not tracking towards goals. The executive is then empowered to reprioritise, while still focusing on the ‘why’ or outcome to be delivered. They can change persistent teams’ focus by working with them to swap one initiative for another — rather than asking for additional funding. Making trade-offs means they need to prioritise wisely, as there is a fixed budget to work within.

“When there is a change in direction, executives are empowered to make trade-offs to deliver on their needs. It is no longer an ‘ask’ of technology,” says Hubbard, regarding Rest’s use of an agile approach in conjunction with persistent funding.

We set up a persistent pilot team at Rest in 2023 to test out the concept. About three months into the six-month pilot, the team uncovered that one of the initiatives wasn’t technically feasible at this time. The product owner decided to swap the item for the next initiative on the backlog. 

This example enabled CFO O’Sullivan to see the ‘swapping’ concept in action — we used the quarterly forum to show how this approach reduced risk by ensuring the team worked within their budget while still aligning to strategy.

How does persistent funding reduce costs?

When collaborating with the CFO on the move to persistent funding, it’s important to discuss how this new operating model reduces costs in three ways:

More permanent staff and fewer contractors. I recommend increasing the ratio of permanent to contract employees to improve focus on the long-term viability of the product and reduce handover when projects are completed.

Persistent teams should be funded by both capital and operating expenditure to ensure that the teams are considering both short-term wins and long-term maintainability of the product. Capex items might include new web portal features, which increase the value of an asset. Whereas Opex items might include an upgrade of the platform behind the web portal.

The reason permanent employees work well on these teams is because they have a vested interest in considering the maintenance of the digital product over the long-term. The long-term viability of the platform is an important focus for the teams to ensure we minimise technical debt

The CFO may like the idea of reducing cost by hiring permanent employees, but only if there is an understanding that shifting to persistent teams is a commitment to a long-term strategy. Here, implementing a pilot team can give the CFO confidence in transitioning to this approach.

Improved productivity due to reduction in delays. I recommend using Scrum on the persistent teams, which would mean having one full-time product owner responsible for decision-making and a fully cross-functional team with the skills to design, build, and deploy the solution.The goal should be to empower the team to make day-to-day decisions autonomously to speed up the delivery process. This is possible only when business executives have set clear objectives and metrics.

“Each executive needs to make it clear to their product owners what objectives they need to focus on,” Hubbard says. “We tried a few different approaches to benefits measurement until we landed on something that worked for both Finance and Member executives.”

The full-time product owner on a persistent team must be given authority to make product decisions that are in-line with the strategic direction set by the executives. They consider technical feasibility and business priority while making these decisions, which speeds up the process of implementing new ideas.


It’s possible that the concept of Scrum and a ‘product owner’ might be new to the CFO, especially since its application can vary in digital organisations adopting agile methodologies on a larger scale. I highly recommend working closely with all executives to ensure they fully understand the significance of empowering product owners to make decisions.

Improved efficiency due to funding by business area. I recommend moving away from a ‘shared resource’ model and instead ensure that a persistent team is fully dedicated and paid for by a specific business area.

When a specific business area funds a persistent team, it gives them a sense of ownership of the outcomes. It becomes more important for the executive to ensure the teams are clear which SMART objectives they need to focus on.

I’ve seen situations where business areas provide a long list of ideas they would like implemented, but because Technology is funding it, they only have the bandwidth to implement a select few. This can quickly lead to an ‘us versus them’ atmosphere, where the business area doesn’t feel that they are being provided the services they require.

The CFO may find that making the business area responsible for funding the persistent team simplifies things from an accountability perspective. It is easier to track benefits realisation for select major programs to specific business areas.

Getting started

If your organisation is just starting out with persistent funding, it’s important to begin with a focused pilot program. This trial will allow you to evaluate the concept and refine the approach in a controlled manner before scaling it across the organisation.

At Rest, we conducted an assessment with the business stakeholders for the pilot team both at the beginning and end of a six-month pilot. This enabled us to work together with the CFO and other executives to determine how best to communicate the team’s progress in a way that they understood, as well as putting the right level of governance in place.

The purpose of the pilot was to evaluate the effectiveness of empowering the pilot teams’ product owner in making decisions autonomously; to improve team efficiency, transparency, and business stakeholder satisfaction.

Cybersecurity and the current skills gap

Cybersecurity and the current skills gap

Even with increased automation, an organization’s cybersecurity strategy is only as strong as its employees. According to a Fortinet report, 84% of surveyed security leaders experienced one or more breaches in the past 12 months, up from 80% in 2021. Twenty-nine percent had five or more intrusions versus 19% the previous year, and 48% suffered breaches in the past 12 months that cost more than $1 million to remediate, up from 38% in 2021.

20 Ways Marketing And Tech Teams Can Collaborate For Success

20 Ways Marketing And Tech Teams Can Collaborate For Success

As technology plays an ever-growing role in all aspects of business, there are certain departments that could see marked benefits from having more interactions and engaging in cross-functional initiatives with the tech team—especially marketing and communications, where audience targeting and outreach efforts are becoming increasingly analytical.

20 Trends In Leveraging Technology For Cyber And Physical Security

20 Trends In Leveraging Technology For Cyber And Physical Security

When people think of technology and security, it’s likely cybersecurity that comes to mind. And leveraging tech tools to better detect and defend against cyber breaches is certainly a top priority for companies of all stripes.

Is Cyber Liability Insurance Sufficient Coverage for All Cyber Risks?

Is Cyber Liability Insurance Sufficient Coverage for All Cyber Risks?

Cyber liability and crime insurance are like a safety net for businesses, but they're not perfect. They can help you recover from a cyberattack, but there are some key things you need to know about these policies before you buy one.

Take an Offensive Approach to Password Security by Continuously Monitoring for Breached Passwords

Take an Offensive Approach to Password Security by Continuously Monitoring for Breached Passwords

Passwords are at the core of securing access to an organization's data. However, they also come with security vulnerabilities that stem from their inconvenience. With a growing list of credentials to keep track of, the average end-user can default to shortcuts. Instead of creating a strong and unique password for each account, they resort to easy-to-remember passwords, or use the same password for every account and application.

Companies Turn to AI to Avoid ‘Cloud Sprawl’

Companies Turn to AI to Avoid ‘Cloud Sprawl’

Companies are turning to artificial intelligence to root out savings in runaway cloud-computing bills, tapping software designed to pinpoint overlapping cloud applications, excess data storage and other inefficiencies across information-technology systems, corporate technology chiefs and industry analysts say. 

Key Cybersecurity Tools That Can Mitigate the Cost of a Breach

Key Cybersecurity Tools That Can Mitigate the Cost of a Breach

IBM's 2023 installment of their annual "Cost of a Breach" report has thrown up some interesting trends. Of course, breaches being costly is no longer news at this stage! What's interesting is the difference in how organizations respond to threats and which technologies are helping reduce the costs associated with every IT team's nightmare scenario.

SEC Moves up Start Date of Reporting Material Cybersecurity Incidents

SEC Moves up Start Date of Reporting Material Cybersecurity Incidents

By Cam Sivesind

According to a press release yesterday from the United States Securities and Exchange Commission (SEC), the agency has "adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures."

"Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors," said SEC Chair Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them.”

Most cybersecurity professionals were expecting the new regulations to go into affect in October of this year, so this news is an eye-opener for CISOs and other business leaders.

Jerry Perullo, Cybersecurity Advisor, Founder, and Professor, added this perspective on the news in a LinkedIn post:

"I'm pleased to see thoughtful consideration of the comments many of us submitted. Key takeaways and changes from the original proposal include:

  • The 4-day timeline for incident disclosure remains, but requirements wisely shift from details on the incident to a focus on material impact.

  • The Commission migrated from 'policies and procedures' to 'processes' on program disclosure. This will free organizations to keep policies focused on practical, specific details that are relevant to the audiences bound by them and avoid the trend of policies becoming static marketing documents.

  • The final rule is far less prescriptive in the program elements required for disclosure, adopting a more principle-based approach that will allow a variety of approaches to satisfy the spirit of articulating a risk management approach. Given the fast-changing nature of adversarial threats, this should allow firms to operate adaptive programs that can quickly pivot in response to changing threats.

  • The Commission prudently rejected calls for mandated cyber risk quantification.

  • There is a carve-out for incident disclosures that could pose risks to national security or public safety.

  • The confusing concept of immaterial incidents 'aggregating' into a material issue has been removed.

  • There will not be a requirement to disclose whether a firm has a CISO, given broader requirements to disclose the positions or committees responsible for managing cyber risk. While my opinion may run contrary to those of many CISOs, I believe many registrant firms can manage cyber risk effectively with cross-functional non-CISO management if adequately informed and empowered.

  • The requirement to disclose 'the cybersecurity expertise, if any, of a registrant's board members' has been rejected. While I selfishly might have seen this proposal as helpful to my own corporate governance work, I agree with the Commission that a broader principle-based disclosure of cyber risk management processes will empower organizations to feature cyber expertise on the Board when it is appropriate for that firm's risk profile while not diminishing the credentials and risk management abilities of Directors without formal cyber-specific experience.

  • Smaller companies are not exempted from these rules. I feel this is entirely appropriate given the modifications made throughout the ruleset to give companies of varying size and, more importantly, risk level to adopt and assert appropriate processes for compliance.
     
    In sum, I'm absolutely pleased with the rulemaking process and final result here. Well done, U.S. Securities and Exchange Commission."

The new regulations were approved by a 3-2 vote.

A few days prior to the vote, Nakul Goenka, Founder of the Houston Legal Tech Association, wrote this post on LinkedIn breaking down the implications of the now-enacted regulations.

"There are five main disclosure requirements which the SEC is proposing:

1.     Reporting of 'material' cybersecurity incidents.

2.     Ongoing reporting of 'material' cybersecurity incidents.

3.     Disclosures of cybersecurity policies, governance and management.

4.     Disclosure if any Director has cybersecurity expertise.

5.     Disclosure for foreign private issuers."

Check out the article for specifics to all five disclosure requirements.

Brian Walker, Founder and CEO of The CAP Group, had this to say in a LinkedIn post:

"Today's SEC vote requiring material breach disclosures appears to mostly affect CISOs and leadership teams more than board directors but disclosure rules have major implications for all stakeholders.

According to World Economic Forum's Global Security Outlook, 14 market days after a security breach goes public, average share price bottoms out and underperforms NASDAQ by -3.5% and even 6 months later is still -3.0% under the NASDAQ.

While it seems the SEC is taking a cyber reporting path that aligns more with operational security than governance, investors and the general public will likely continue to monitor companies' cyber governance expertise to mitigate the financial and reputational risk related to breach disclosures."

Contact us today to set up an appointment.