Impacts are easier to talk about because these are what keep folks up at night. However, you need to move beyond vague feelings of dread and help people understand the real potential impacts to your business. Impact costs can vary greatly depending on your industry, your data scope and compliance, business functions, and how much you outsource. However, you as a cyber security expert are in a better position than anyone else to describe those impacts to the board. Talk in terms of tangible and intangible losses that resonate with them, including:

• Tangible costs:
  • Breach disclosure costs (PII record count x disclosure cost / record)
  • Customer SLA fines
  • Revenue loss during system downtime and recovery
  • Compliance and audit fines
  • Potential litigation and fines down the road
  • Incident response costs, including internal resources (OpEx), third party breach experts, required remediation controls, and effectiveness testing
• Intangible costs:
  • Impact to your brand (the business puts a value to this—usually found as an asset line item in your financial books)
  • Current and future customer perception and loss
  • Loss of business value in acquisition discussions
  • Competitive advantage loss
  • The board’s personal reputation and/or jobs

When presenting likelihood and impact, stick to the simplified High/Med/Low model. Everyone is aware that there are more layers, and most execs would understand a more complex model, but their time is limited and they just want the Cliff Notes version. In cases where the risk is high, then they will probably press for details.

Lastly, never present a problem without an accompanying solution. Make sure you have a solid mitigation plan (with proposed budget numbers) to resolve anything rated high risk. Executives want clear lines of responsibility among business owners—they want to know who’s responsible for remediation, and the budget from which the remediation tasks will be paid. Never present risk without clear information about ownership and responsibility. The chances are likely the board has already dealt with high risk, non-cybersecurity scenarios before. If you’ve done your job well in explaining, you can sit back and let them decide what to do. But, as the cyber security expert, you should still be prepared to give them guidance or validation.

The first time you do this, it might seem like a lot of work, but for effective CISOs, it is routine. Risk assessments and reporting with the board should be happening at least annually. The first risk assessment is the foundation which you update with new risks as things change within the organization. As cyber risk is better understood and managed, you might need to only present updates if something significant or material has happened. This is the ideal position—not only does it mean everyone is sleeping at night, it means the board trusts you.