We all know that a strong cyber program plays a vital role in meeting regulator expectations, but what about when you need to bring the conversation to your firm’s LPs?
Handling cyber discussions with executives requires you to speak their language.
Drawbridge’s CISO Simon Eyre recently sat down with Peter Christodoulo of Francisco Partners to discuss mastering the cyber program executive briefing.
Let’s take a look at three of the top takeaways on how to frame these conversations with executives:
1. Scorecards improve cybersecurity visibility
Creating a detailed scorecard tailored to the needs of your business and its investments can help you not only stay on top of evolving cyber risks but also demonstrate those risks more plainly to your GPs and LPs.
As Peter puts it:
“You can’t really manage it unless you can measure it.”
Scorecards can also help you to divvy up different aspects of your operational risk. Peter offers the example of the three scorecards Francisco uses:
- Business quality—a measurement of all business attributes and how they impact overall quality (i.e. speed of growth, customer satisfaction, etc.)
- Cyber—an overview of all currently implemented controls and security measures, as well as recommendations for improvement and currently unmet needs
- ESG—a breakdown of how well the business and/or its investments measure up against ESG (Environment, Social, Governance) standards
2. Cyber should not be treated as a singular, one-point investigation
Cyber assessments are not a one-time task.
A proactive approach to cybersecurity due diligence requires both an initial assessment of a potential investment’s cyber posture and an ongoing program that regularly reassesses each piece of a portfolio. Using the scorecards discussed before is a crucial component of an ongoing cyber program, as businesses can present slide decks with specific points for improvement during each investor meeting.
Additionally, when discussing cybersecurity internally, it’s likely that individuals in different roles will have differing perspectives on the true importance of a proactive cyber program.
Rather than leaving your cyber posture up to debate, the key is to standardize it.
While a cyber breach may be unlikely to happen, it’s far from impossible. Having a clearly benchmarked approach may cost more time and resources upfront, but it can save your business immense amounts of pain and reputational damage in the event that a breach occurs.
3. Start with risk identification, not technology selection
What we often witness with firms establishing new cyber programs is prioritization of the wrong things.
You can pick out all the best technologies in the world, but it will do you little good if you haven’t yet put the time and effort into mapping out and identifying where your data resides.
Focusing your cyber efforts in the right place requires you to perform a thorough risk assessment—and a thorough risk assessment can require a third-party perspective to identify blind spots and vulnerabilities that your internal team may have overlooked.
