Here’s a question. Is it better to have a board where most or all members understand cyber risk, or to have an expert (internal or external) that takes on the job of understanding and communicating risk so that the board can be guided in their decisions?. I’m going to go for the third option, have both…:
[…] Boards are also turning to cyber consultants. Kelly Bissell, who works with boards to evaluate their cybersecurity and offer advice specific to their business as the head of Accenture Security, said he’s gotten more calls in the past six months than he had in the entire previous year, as hacks and ransomware attacks escalate.
Bissell stressed that boosting cyber literacy isn’t just about directors learning the language of security but ensuring that chief information security officers can explain their work. “We have to ensure the CISO can communicate effectively at the board level, not in bits and bytes,” Bissell said.
But not every risk needs to be understood by the board, said Dave Tyson, a strategic council member of the Private Directors Association’s Cybersecurity Initiative. Learning to prioritize—and how to communicate simply and clearly—is key, he said.