The next time a CIO is summoned to the board meeting, she or he should expect a grilling on security and risk management. That\u2019s according to the latest Gartner research which notes interest in these topics is at an all-time high, a view that chimes with findings from the New Zealand Institute of Directors (IoD).\nThe COVID-19 pandemic has upped the ante for cyber security\nIn the latest issue of IoD\u2019s membership magazine, Boardroom, the problem is laid bare in a piece by Aura information security general manager Peter Bailey. He cites an increased reliance on digital technologies and a distributed workforce as a result of the COVID-19 pandemic, as bringing cyber security issues to the fore.\n[ Keep up on the latest thought leadership, insights, how-to, and analysis on IT through CIO\u2019s newsletters. ]\n\u201cThe very lifeline to productivity in the stormy seas of COVID-19 may tow your organisation into a lurking cyber security iceberg,\u201d he writes. \u201cHaving more of your workforce connected to a myriad of internet connections greatly increases your necessary connectivity surface area. This dispersed network creates exponentially more vantage points for cyber criminals to infiltrate your systems as well as increasing the chance of accidental data breaches via your employees.\u201d\nIoD Principal Advisor Selwyn Eathorne concurs with this view, noting that as organisations have changed their operation models and practices, the cyber security risk has increased. \u201cBoards are concerned about a large range of matters at this time, including cyber security. Many organisations have changed aspects of their operating models and work practices with more reliance on digital and technology. This has led to increased cyber security risks and is set to continue as organisations transition into the future. Boards will continue to want to know that the their organisations critical assets are being protected. They will need to stay informed about emerging cybersecurity risks, trends and issues,\u201d he says.\nHow CIOs and CSOs can communicate effectively about cybersecurity\nAs to whether New Zealand boards believe they are sufficiently informed about cyber security, the feedback is mixed.\n\u201cIn our 2019 survey of director sentiment, less than half of directors (41%) said that their board received comprehensive reporting from management about data breach risks and incidents. However, 67% of directors of publicly listed companies said that they received comprehensive reporting,\u201d Eathorne says.\nEathorne says there is \u201cno one-size-fits-all approach\u201d to communicating on security and risk management, and it needs to be tailored to the organisation. \u201cBoards and management need to consider the format and frequency of reporting, and consider what information and detail is most valuable in maximising the effectiveness of board oversight in this area. Reporting to the board on cyber security has similar principles to reporting on other areas of an organisation such as health and safety and financial reporting,\u201d he says.\nThe IoD has produced a guide on how to go about reporting to boards on cyber security which includes a section on six questions covering key areas of interest: metrics, investment, effectiveness, incidents, reporting and awareness.\nGartner meanwhile has distilled its research into five questions, which it describes at follows:\n\nThe trade-off question: Are we 100% secure?\nThe landscape question: How bad is it out there?\u2014and how do we compare to others?\nThe risk question: Do we know what our risks are? What keeps you up at night?\nThe performance question: Are we spending enough\/why are we spending so much?\nThe incident question: How did this happen? What went wrong?\n\nIt notes that boards collectively care about three things: revenue\/mission, cost and risk. \u201cBoard members expect their leaders to interpret topic specific information into its broader business impact. Security and risk management is one of these topics,\u201d Gartner says.