“It’s not your job to say yes or no or to accept the risk. It is your job to keep the executive leadership team and boardroom informed so they can make the right risk acceptance decisions and to keep them from saying ‘you didn’t tell me’.”

Paul Furtado, former CIO and CISO and now VP analyst at Gartner, is talking cybersecurity – and more specifically how cybersecurity teams should have conversations that count with executives.

“If you can’t align your cybersecurity conversations to one of those elements, you’re making things difficult.”

“Executives are continually asking us to give them the confidence in the defence we have in our organisations, and a lot of times that puts us in the hot seat, defending budget, defending risks, and how we are addressing incidents that happen.”

A former cybersecurity practitioner, Furtado says it’s easy to overspend in security and get to a point of diminishing returns.

“We need to start taking a look at what the right level looks like,” he says, acknowledging there is no such thing as perfect protection.

“It’s about finding the right level of balance between the protection we want from a security perspective and how much we are willing to fund it and defend it.”

But first is to align cybersecurity with executive priorities.

“When we start having conversations with senior leadership and our board of directors, they really ultimately care about three things: What’s the impact on revenue? What’s the impact on cost? And what is the impact on risk?

“If you can’t align your cybersecurity conversations to one of those elements, you’re making it difficult for them to make strategic decisions, and ultimately they have to make the risk acceptance decision – either formally, through standardised GRC and risk appetite etc, or informally by how they chose to fund you.”

Articulating risk can be a key stumbling block, Furtado says. While both parties might be speaking English, the conversation can be akin to speaking different languages because of different levels of understanding and conversations that focus too much on the technical, rather than an aligned business conversation.

“It’s really important to be able to say at the end of the day, what does this threat actually mean to our organisation? How does it manifest itself and what is the impact on revenue, cost or risk?”

He urges making ‘return on risk’ rather than ROI, a focus, saying if spending $100,000 or $1 million is only displacing $20,000 of risk, it doesn’t make sense.

Working with business, cyber teams need to look at all potential risks, such as operational, compliance, and business disruption, and then classify them based on their severity, to provide a consistent measuring stick defined across the enterprise that everybody understands.

“I’m not a fan of FUD – fear, uncertainty and doubt. We have to provide a realistic view of the operation and when we start having the conversation about risk, the first thing you need to do is come up with an agreed upon risk vernacular across the enterprise so when you say something is a medium risk or high risk, the business knows what you mean.

“Does it mean the businesses loses x percent of revenue? Is it a loss of x percentage of customers? Is it x percent of the infrastructure that is susceptible to this?”

Furtado’s comments come as a new report shows despite nearly two-thirds of Kiwi businesses experiencing a cyber-attack or incident in 2024 – with a significant number resulting in financial extortion and ransom payments – most are still not implementing basic cybersecurity or elevating cybersecurity as a top risk for the company’s board.

The report, from state-owned telecommunications provider Kordia, surveying of 295 businesses with more than 50 employees, found around one-third of the businesses surveyed don’t do any reporting on cyber risk to their board of directors – and around half haven’t practiced their cybersecurity response plan.

Alastair Miller, principal security consultant at Kordia-owned Aura Information Security, says given the businesses surveyed were among some of the largest in the country and the biggest employers, he’d like to have seen more evidence of a focus on cyber issues.

He says conversations about cybersecurity should begin in the boardroom.

“The good news is that New Zealand businesses are increasingly recognising that cybersecurity isn’t an ‘IT problem’, it’s both a strategic business enabler and an enterprise-wide risk management issue.”

Boards play a critical role in a company’s incident response management before, during and after an incident, and getting this right is a great place to start for businesses wanting to strengthen their security posture, he adds.

The survey also found that just 39 percent of respondents always conduct a risk assessment when onboarding new technologies.

Kordia’s survey found email phishing was the most common cause of cyber incidents experienced, accounting for 43 percent of all incidents. Sixteen percent resulted in the compromise or theft of personally identifiable information, and 22 percent caused operational disruption. Almost one in 10 businesses compromised paid a ransom or extortion demand.