Last month, I said People don’t know how to assess cyber risk.
I quoted from a McKinsey report (my highlights):
- Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
- Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
- At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”
Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):
- 85% of board members believe that IT and security executives need to improve the way they report to the board.
- 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
- 54% agree or strongly agree that reports are too technical.
- Only 33% of IT and security executives believe the board comprehends the cyber security information provided to them.
Why is that?
I believe it’s because most reports are either a list of risks or a list of prioritized information assets (produced by following guidance from ISO, NIST, or FAIR).
A list of risks may be technically sound.
But is such a list actionable information?
Does it help boards and executives make the quality strategic and tactical decisions necessary for enterprise success?
Protiviti recently shared the results of a CISO round table. Are the CISOs talking about changing the paradigm from managing a list of cyber risks to helping the organization’s leaders take the right level of risk and manage the business for success?
No. They continue to talk about their silos. Stories about breaches are interesting but may not relate to running the business to deliver value.
Executives need information that will help them decide how much to invest in cyber when those same resources could be applied to highly profitable investments in new technologies, product design, acquisitions, a marketing campaign, hiring, and so on.
They need to know the likelihood of a breach that would result in their failing to achieve their objectives as an organization.
CISOs and consultants complain that boards don’t understand cyber and information security.
It’s true: they don’t.
Why should they learn the language of cyber? They can’t be experts in everything, including not only cyber but financial management, hedging, marketing, product design and development, and so on.
No. Those charged with managing cyber have to learn how to communicate their concerns in the language of the business instead of asking board members and top executives to learn technobabble.
Even there was a member of the board that talked technobabble, cyber risk still needs to be translated into common business language so that everybody can see the big picture.
Cyber is just one of many sources of risk to enterprise objectives, and business decisions should be made based on reliable information and a view of the big picture, one that includes all the related risks.
My advice for CIOs, CISOs, and CROs:
- Take each of the organization’s strategic objectives, such as “revenue growth of 10%”
- Consider how a breach might affect each objective
- What is the magnitude of breach, what would have to happen, for there to be a significant effect on the achievement of one or more objectives – an effect that would be considered unacceptable by leadership?
- How likely is that?
- Communicate that information to leadership, but first work with those responsible for reporting overall risk to objectives and integrate cyber risk into their reporting
- Help the board and top management understand whether cyber-related risk, together with other sources of business risk, means there is an unacceptable likelihood of failing to achieve enterprise objectives
- Help leaders decide how to respond when the overall risk is unacceptable (i.e., the likelihood of success is lower than desired)
- In other words, help them manage the business rather than a list of risks or information assets
I welcome your thoughts.