The Board of Directors for any bank or credit union sets the tone and direction for the institution, including how the institution leverages information technology. While these Directors are generally not directly involved in the day-to-day operations, they are still responsible for ensuring that the institution operates in a safe and sound manner. The Board is expected to not only set strategy for the institution’s IT Risk Management program, but to also monitor how well the ITRM program is working and to provide a “credible challenge” to management.
Effective communication is crucial to this process but presenting complex information security and cybersecurity information to the Board can be challenging. Here are four common challenges you might encounter when reporting to your Board or Steering Committee, as well as some strategies to help overcome each:
Board meeting agendas are jam-packed with important business, so you may not have much time to communicate your portion. Often, the Board cannot dedicate more than 15-20 minutes to ITRM, and this is precious little time to fully explain complex or nuanced topics.
- Focus on high-level summary information. Whenever possible, consider featuring charts and graphs to help visualize data.
- Highlight both the shortfalls and positives. Often a traffic-signal approach can be helpful here by highlighting positives in green and issues in red.
- Show your work! Information presented in a brief manner may minimize the importance of the topic or work involved. Explain why your topic is important to the bigger picture, and brag on your team for their hard work.
This type of Board is one that desires to know and understand every little detail. Deep engagement with IT is a wonderful problem to have, but it can quickly derail a presentation.
- Save questions for the end. If your Board is open to this, it will help you make it through all your material in the time allotted.
- Be open to follow-up discussions. When a discussion strays too far into the fine details, consider gently suggesting a follow-up meeting to discuss the topic in further detail.
- Anticipate likely questions. Be prepared for questions such as:
- How did it get this way?
- What are we doing about it?
- Can we do this internally, or do we need to bring in a third party?
- Why do we have to do this?
- How do we compare to our peers?
- What does that mean?
Some Boards tend to steer any discussion toward a certain topic or key metric near and dear to their heart. Regardless of if this topic is related to cost, culture, legal, customer service, or any other concern, if it matters to your Board then it matters to you.
- Frame your presentation in the Board’s terms. How can you fit your topic into the context of what resonates with the Board?
- Don’t bury the lead. Start your presentation with the topic that matters to your Board in order to capture their attention and make them more receptive to the rest of your presentation. If, for example, your Board is sensitive to costs, then don’t keep the Board waiting on the price tag for a new initiative.
- Seek Director assistance. If a Board member is a subject matter expert in an area, then ask for their (brief) input while planning your presentation. This approach helps streamline conversations during meeting, and may help your message resonate better with the rest of the Board.
Not Tech Savvy
Boards have a wide range of responsibilities and cannot be experts in every area. Your Board may not be well-versed in technology concepts, especially emerging technologies and cyber threats.
- Education is key. The Board meeting is not the right time for in-depth training, but you can throw in small reminders as to why metrics like patch status or backup success matter to the bottom line. ISO’s should also make educational materials available for the Board to review at their convenience or arrange separate training sessions for the Board on critical topics. Another option is to reserve training time on the standard agenda for a monthly topic or Q&A (if you can get it).
- Utilize subject matter experts. Experts may be better armed to explain a topic or field questions. Don’t be afraid to call on your coworkers or trusted third parties as reinforcements to help get the message across.
- Relate topics to real world examples. You don’t have to look far to find news of the latest data breach or ransomware attack – these all make excellent cautionary tales to underscore the importance of preventative measures.
To efficiently and effectively support the Board at your institution, you need to know your audience. Board members are not always experts in information technology and cybersecurity, but a “rubber-stamp” approach to these topics is no longer adequate for regulators. Your Board needs the right information in the right context to make the right decisions and provide that all important “credible challenge”.