Watch this video from Korn Ferry.
What is important is that Korn Ferry is an organization that works with and advises boards and top executives.
They are right when they say that the CEO has to be proactively involved and that cyber is not an issue to be left to the techies, even the CIO, CTO, or CISO.
Let me repeat that: it is not an issue to be left to the CISO. The involvement of the entire leadership team is required to understand how a breach can affect the business and contrast that to other sources of risk.
They are right when they say cyber needs to be prioritized and treated the same way as any other risk.
But they don’t provide any practical guidance.
It is not sufficient to say that cyber risk is high, medium, or low.
The leaders of the organization need to be able to figure out what is the right level of resources to allocate to cyber defense and response; what is the right level of attention at board and executive committee level; and what should be communicated to shareholders and others.
It is important for practitioners and leaders to focus on the risk to the business, and not get hyped up by breach headlines or by eager consultants.
Resources and attention should be allocated commensurate with the potential for a cyber problem to affect the business.
Resources and attention should be allocated in priority relative to other sources of risk and opportunity.
But it is important to recognize that cyber is only one of several sources of risk to specific enterprise objectives.
Treating cyber risk in a silo (ignoring the need to consider the total level of risk and opportunity as leaders work to achieve objectives) is not going to result in the right decisions being made.
In Making Business Sense of Technology Risk, I point out the flaws in the siloed approach in the ISO, NIST, and FAIR standards. To be fair (pun intended) FAIR points out that even after the end product of their methodology is completed (a prioritized list of risks), a challenge remains in providing business leadership and the board with the information they need to understand how it all might affect success.
Rather than providing a prioritized list of high/medium/low risks, provide leadership with the information they need to make strategic and tactical business decisions.
Help them understand, within the context of competing demands for resources, what is the right level of investment, time, and so on they should make in cyber.
Help them understand when it makes sense to invest more and when it is right to take the risk.
I welcome your comments.