Hacked? What to Tell the Board

Be prepared for a “please explain” request from the board after a serious cybersecurity incident.

The unscheduled power outage experienced by three Ukrainian power companies on 23 December 2015 was a game changer. It was a high profile cyberattack on the national infrastructure, which caused significant disruption to the electricity supply to a large number of customers.

“Although the frequency of an attack of this scale is low, it shows how an aggressive cybersecurity attack can seriously impact business operations – and customers,” says Rob McMillan, research director at Gartner. “Board-level reporting for cybersecurity and technology risk is becoming commonplace due to the severity these attacks can have on a business, but most organizations aren’t very good at it.”

Manage Risk. Build Trust. Embrace Change.
Gartner Security & Risk Summit 2018
Learn More

Gartner believes that by 2020, all large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually, up from 40% today.

By 2020, all large enterprises will be asked to report to their boards of directors on cybersecurity and technology risk at least annually.

Most boards will ask security and risk management leaders to present to them on the state of security because it’s part of the board’s fiduciary duty, not because they’ve suddenly become cybersecurity enthusiasts, according to McMillan.

“They may not understand cybersecurity and risk, but they do care about the impact to the business, its customers and bottom-line revenue,” he says.

Align security with business impact

Most boards won’t have many technology-savvy members, so trying to teach them to understand security and the relevant technology is unlikely to be productive or useful to them.

What board directors care about is:

  • Strategy, not operations
  • Risk oversight, not management
  • Business outcomes, not technology details
  • A clear responsibility

Put cybersecurity in terms they can understand and that aligns with business decisions and outcomes. Tell them what they need to know, what they have a legal obligation to know and reassure them that there is a pathway to ensure that material risks are being managed.

“You need to help them meet those obligations, but equally you don’t want to overplay the danger because you could undermine your own position,” McMillan says. “That will lead to the board losing confidence in you, or you’ll make enemies, which isn’t an effective way to go about fixing problems.”

What not to tell them

The board won’t be interested in every piece of malware that comes into an organisation. If someone gets a virus on their machine and infects six workstations with no significant business impact, directors don’t care. But if it becomes more serious with the potential to disrupt the business, whatever the core business process happens to be, they’ll need to be informed.

Use fear, uncertainty and doubt sparingly. The board doesn’t want to hear the doom and gloom. Directors are interested in ensuring that solutions are, or will be, in place. They’re also interested in how the organization is meeting its business aspirations, and what the security practitioners are doing to help achieve them. It’s a fine balance and it takes skill to convey the message.

What to tell them

Acknowledge that there will be incidents from time to time – it happens in most organizations – but reassure them that they will be managed. “You may not be able to avoid every potential incident, but what you can control is how you prevent them, and then how you respond when they do occur,” McMillan says.

Security and risk professionals should:

  • Position the discussion within a business context that is relevant to board-level decisions, while avoiding issues that are relevant only to IT personnel and IT decision making.
  • Adopt a fact-based approach and avoid blaming individuals. Focus on the current situation and the plan of action to resolve it.
  • An incident is a potential opportunity to remedy systemic or legacy problems, but continue to balance the needs to protect the organization against the needs to operate the business.
  • Finish discussions with an “ask” of the board to engage members in the process.


Gartner clients can read more in the report: How to Build an Effective Cybersecurity and Technology Risk Presentation for Your Board of Directors, by Rob McMillan, et al.

Learn more about cloud security and strategy in the complimentary Gartner eBook Cloud Leadership.

Get Smarter

Security Monitoring and Operations Primer for 2017

Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...

Read Free Research

Bring Your Own: come gestire dispositivi e app in modo sicuro?

Il trend del Bring Your Own continua a crescere, impattando sempre piu' il modo in cui le aziende devono implementare le proprie strategie...

Start Watching

Follow #GartnerSEC

Learn more at the global Gartner Security & Risk Management Summits.

Explore Gartner Events