A couple of recent pieces shed some light, some amazing light, on how cyber-related risk is perceived by executives and the board.
CIO magazine discusses a survey of Australian CEOs and CISOs. They found that:
- …only 6 percent of CEOs say their organisations had suffered a data breach in the last 12 months. This compares to 63 per cent of CISOs who reported breaches in their organisations.
- Almost half (44 per cent) of CEOs felt that their organisations can respond to respond to cyber threats in real time. Unfortunately, their CISOs don’t feel the same way with only 26 per cent indicating that this is the case.
- What the study found is pretty much a disconnect and lack of communication between the two very important roles of CEO and CISO.
- One-third [of CEOs] believe cyber security is an IT or operations issue. So they do not see it as a business priority and as a consequence, they don’t [include] it as part of their business planning.
- 25 per cent of the organisations surveyed that have boards do not report on cyber security to their board members on a regular basis.
This disconnect leads me to a number of suspicions, if not conclusions:
- If the CEOs didn’t believe their organizations suffered a data breach, the consequences of any breaches must have been inconsequential.
- CEOs don’t give a lot of time to concerns about cyber breach despite all the ‘experts’ calling it a top risk, even though they almost certainly have been breached; in real life it is not a top risk. It doesn’t really matter.
- The incidence of major breaches that can have a major impact on an organization must be low.
- Even CISOs don’t know how many times they have been hacked.
A report from the IIA, discussed in Radical Compliance, also talks about a misalignment when it comes to risk – this time between boards and executives. It found that:
…across 11 enterprise risks, boards are more confident [in how well risk is managed] than executives — which is alarming, since executives are closer to the organization’s reality than board directors.
I suggest referring to the chart in the Radical Compliance article that shows the gap by type of risk. (I will not be writing about the IIA report; you can read it for yourself and see why.)
Why is there this misalignment and lack of understanding?
I put it down to these facts:
- People continue to try to manage a list of risks rather than the success of the organization.
- They are not assessing the level of risk based on how something might affect the likelihood of achieving objectives. Quantifying a ‘risk’ like cyber based on a dollar value is usually (IMHO) misleading.
- If you don’t understand how something like cyber might affect an organization and its success, which is a range of potential effects and each has its own likelihood, you don’t know how to assess whether it is an acceptable level of risk or not.
- As a result, the management of risk is something separate from the management of performance and success – and becomes a compliance exercise rather than something integral to effective management of the organization.
- The level of risk to an organization’s success from a cyber breach is inflated in the surveys and media based on a few high profile incidents. The average data breach cost is less than $4 million (according to the Ponemon Institute – see my book, Making Business Sense of Technology Risk for a more in depth discussion).
- People do not understand that risk management is about the ability to make informed and intelligent decisions so you can achieve success, not managing a list of risks or discussing whether cyber is #1 or #3!
I usually find good material on McKinsey. But you will see many of the same problems in their latest, The risk-based approach to cybersecurity. It’s all about ‘risk reduction’ instead of increasing the likelihood and extent of success.
The board and the CEO are focused on the successful achievement of objectives. Why can’t practitioners talk to them in those terms?
I welcome your opinions and comments.