I continue to be frustrated by articles and so-called expert advice on how organizations should address the risk of a cyber breach.
It’s just one of the reasons I wrote Making Business Sense of Technology Risk. The book not only explains how problems related to the use of technology should be considered when making strategic and tactical business decisions, but uncovers fatal flaws in the cyber standards and frameworks.
It’s one thing to say that “cyber is a business risk like any other” (quoting a new article by a partner with Schillings) and another to actually treat it that way.
If you want to treat cyber as another business risk, then it needs to be assessed and evaluated in a way that you can compare it to and aggregate its effect with other sources of business risk.
The author of that article gets several things right:
- What businesses need is a new type of CISO. A CISO who can get involved in digital transformation, but who also has executive management skills and understands that security is an enabler.
- Cyber security is about more than just building and maintaining threat resistant systems. It is both a strategic and risk management issue.
- A CISO today needs to understand business impact and resiliency and have the ability to present clearly and in non-technical language (without acronyms), to the Board. Skill sets need expanding to include risk, enterprise risk management and knowledge of the business.
- CISOs who can’t think strategically have been given the wrong title.
- Boards want to see the impact security has had on the business itself — not just how you improved things on an operational level.
- Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services. Risk management is about informing and improving that decision-making process.
- …governing risks to technology systems is no different to governing other business activities. You just need to use the right people, structures and processes to make sensible risk management decisions to achieve your business goals and objectives.
So far, this is excellent. The author is asking the right questions, especially “Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services.”
But then it goes terribly wrong.
I strongly disagree with this statement:
The worst reporting line, in my opinion, would be to the CIO, followed by the COO and perhaps the CFO. Better the CEO, Chief Risk Officer or General Counsel. Encouragingly, in the UK’s FTSE350, the majority now have CISOs reporting directly to the Board.
This shows a total lack of understanding of the role of the CIO.
Consider these descriptions:
The role of the CIO is to help to set and lead the technology strategy for an organisation, in concert with the other C-level executives. As such one of the many roles of the CIO it to provide an executive-level interface between the technology department and the rest of the business. (ZDNet 2019)
Due to the reliance on technology to grow and succeed, the CIO will become a fundamental part of the business, have a seat at Exco / Board table and report directly into the CEO. They will be expected to guide the board in the use of IT (aiding King IV™ compliance) and contribute to business performance at a strategic level, seeing the role becoming less technical and operational. (PwC 2017)
As digital becomes a core competency, the CIO plays a key leadership role in the critical strategic, technical and management initiatives — from information security and algorithms to customer experience and leveraging data — that mitigate threats and drive business growth. (Gartner, 2020)
The CIO’s primary role is to make sure the organization is making the best use of technology to both drive and protect the organization. In order to do that, they need a solid understanding of the business and an excellent working relationship with other business leaders.
Make no mistake. Cyber is a technical issue and the challenge is seeing it within the context of the business – making business sense of it.
The CIO is in the perfect position to understand cyber and its potential to affect the business. He or she can understand the damage it can cause, as well as the likelihood of that damage being severe.
This is because they understand the business, how it operates, and the extent to which it relies on technology.
The CIO can appreciate what can and should be done to minimize the possibility of severe damage and be in a position to respond appropriately when (not if) there is a breach.
The CIO is also in a position to contrast the value of an investment in cyber to an investment in new technologies, or even new marketing initiatives or the opening of a new manufacturing facility.
I talked to a NIST Fellow in the process of writing my book. He said that it is disastrous for the CISO to report to the CIO because the CIO will favor spending money on new functionalities over cyber. He had no answer to my reply that maybe the CIO can see there is more value to the organization in those systems.
So let’s empower rather than disembowel the CIO.
Business and not technical decisions need to be made.
One of the problems, which I illustrate in the book, is that few cyber professionals are able to effectively explain the business impact of a breach. Instead, they provide a list of high risk information assets (following NIST, ISO, and FAIR guidance).
That is not actionable information. It is of very little value, limited to deciding where to invest your cyber budget rather than justifying getting a budget in the first place.
If you want money for your area, you have to explain why it makes good business sense – and better business sense that any other investments.
The Schillings author has ten questions the board should ask the CIO.
He misses the top 3 or 4:
- If we have a breach, how would it affect the business and our ability to achieve our objectives for the year?
- How likely is it that we would have a breach that has such a serious impact that we would miss one or more enterprise objectives?
- Is that an acceptable position?
- Is there a business case for investing more in cyber? What would be the effect, in terms of achieving our objectives, of an incremental $1 million, $2 million, etc.? Is this the best use of our resources?
Just to explain the focus on achieving objectives:
- This is how pretty much every organization defines success and what it works towards
- The significance of a breach can be measured in terms of monetary loss or data exposed. But while that may be in the millions or even tens of millions for larger organizations, the greater concern is whether it will have a lasting effect on revenue, profits, etc.
Making Business Sense of Technology Risk should, IMHO, be essential reading not only for CISOs and their staff, but also for CIOs, CFOs, IT auditors, CROs, and all who want to treat technology-related risks (including but not limited to cyber) as a business risk.
I welcome your thoughts.
By Norman Marks, Governance, Risk Management, and Audit