What makes a good cyber risk advisor? What skills do they need to help board directors address cybersecurity? According to a report by BayDynamics, board directors “may not be experts in security, but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns.”
In addition to being able to communicate effectively, cyber risk advisors should have a solid understanding of the technical weaknesses of the organization and how those weaknesses can impact business objectives. While it may be simple to find someone with technical savvy, that doesn’t necessarily mean you can put that person in front of a business leader. As BayDynamics noted, “You’re not going to impress a board with how smart you are by throwing technical jargon at them that will go over their heads.”
Translating the Facts
Consider the significance of meteorologists. Why do we need professionals to explain storm risks and help us to make sound decisions? After all, we already have quantitative data that outlines the storm trajectory and predicted times, locations and strength.
With so much self-evident data, why invest in a meteorologist to explain it? Perhaps we stay glued to our television sets to listen to wave after wave of weather folks translate facts into powerful mental images. If you live near an incoming storm, then hopefully these weather orators inspire you to make sound decisions about the risks you face.
So it should come as no surprise that, according to BayDynamics, board directors prefer to receive cybersecurity information through “high-level security strategy descriptions.” While metrics provide valuable data, they need to be interpreted, analyzed and ultimately translated into how they impact the business.
Six Characteristics of a Good Risk Advisor
Cyber risk advisors work to help board directors make the right business decisions when it comes to navigating turbulent cyber weather. Below are six traits of a good cyber risk advisor.
1. Strong Professional and Personal Skills
To operate across multiple levels of the business, cyber risk advisors should possess excellent listening skills and the ability to communicate effectively. They must also be able to analyze and synthesize large amounts of information.
In addition, an advisor needs to understand and navigate the rational and emotional side of the advisor-client relationship, adapt to a client’s pace and respond appropriately. Advisors need to possess candor and transparency as well as empathy and imagination. This will allow them to read situations and put themselves in other people’s shoes. Ultimately, the advisor should be able to communicate in the most appropriate language for their audience.
2. Solid Grasp of Tech Pros and Cons
The risk advisor also needs a strong grasp of what technology can and cannot accomplish. While technical controls have their place, even the best technical defense can be thwarted by human error. And even if your staff and users are perfect, your own organizational processes might slow down progress on the security front.
This individual should also be able to identify how cyber issues can impact the business and make the case for governance efforts. As EY noted, a good advisor “raises awareness of technical and nontechnical risk factors, and provides both technical and business strategy solutions to give organizations the best shot at succeeding in an uncertain environment.”
3. Focused on the Business and People
Ultimately, the advisor’s key interactions won’t be with technology or processes, but with people and the business. Therefore, they must be able to frame cyber risk metrics in a business context. Good advisors will also be familiar with the value of security frameworks such as the NIST cybersecurity framework. They should outline a clear vision of the steps a business needs to take to meet compliance standards and articulate the current state versus the target state.
An effective risk advisor not only looks for ways to safeguard the business, but also finds solutions that will work for the people impacted by the decisions made in the name of security. With that in mind, they will prioritize threat intelligence and look beyond geographic boundaries into trends and market incentives.
4. Understands Company Culture
Each organization has its own distinct personality. To ensure positive interactions, a savvy risk advisor will seek to understand the personalities of board members and the character of the organization itself.
It’s important for advisors to address organizational risk biases, especially when it comes to reviewing a prioritized list of risks with top leadership. The advisor can use guiding questions to help clients to recognize any biases that could impact their ability to make the best business decisions. For example, the advisor might ask each line of business how it is managing its cyber risks, the extent of positive changes and how these changes have been measured.
5. Maintains Trust and Open Dialogue
However qualified advisors are, they will have to tread lightly until they’ve established trust with the client. The authors of “The Trusted Advisor” explained that there are multiple levels in the client-advisor relationship. The lowest level is a service-based relationship, where the advisor spends the majority of the time providing information to the client. This is followed by a needs-based relationship in which the advisor solves problems for the client. This can then evolve into a relationship-based level in which the advisor provides insights into the organization. Finally, the top level is a trust-based relationship, where the advisor focuses on understanding the client and its needs.
Risk advisors must develop trust with the client and work as a partner with the top leadership. To do this, they must be transparent and honest, establish credibility and ensure multiple lines of dialogue. Doing so will demonstrate how they understand the business and its strategy.
6. Articulates the Company’s Cybersecurity Posture
Three key questions for top leaders and boards include:
How are our security investments helping protect our most-valued assets?
How does our cybersecurity strategy align with our business objectives?
How do we measure the effectiveness of our cybersecurity program?
Advisors can provide an unbiased perspective on whether past decisions have helped the business or not. They can also review the quality of the information presented to board to ensure it is reliable, relevant and presented in business-centric terms. Similarly, they can assess the strength and reliability of the organization’s cyber indicators and how well the organization is addressing cyber risks. Advisors also analyze the speed and efficacy of incident response and review other key security indicators for signs of progress.
Ultimately, much like when a CFO presents a financial statement to the board, the advisor ensures that cybersecurity is always framed in terms of what it actually means for the business. The advisor can make sure that the current cybersecurity posture is well-articulated and that the target state is achievable given the organizational culture. Finally, the advisor can assess the organization’s progress toward achieving its target state.