Cyber risk should be communicated to leadership in a way that is meaningful and actionable, enabling leadership to make informed and intelligent decisions.
This post is about wisdom on the one hand and thinking and practices that are less than wise on the other.
I was reading through a 2016 article in the online CSO magazine, CISOs bridge communication gap between technology and risk, when I found these:
Grant Thornton’s Chief Information Security Officer (CISO), said:
“…boards are starting to understand that security is another risk to an organization. It’s not really just an IT issue. The impact that cybersecurity incidents can have on the organization has put it in the same class as other risks to the organization because it can be just as damaging.”
The article also has:
“ at its core, security is an executive level business problem. [James Christensen, vice president of information risk management for Optiv says] “Five years ago that never would have been a part of the conversation, but now the more successful CSOs are doing this.”
Steven Grossman, vice president of strategy and enablement at Bay Dynamics says:
“The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos”.
He also says:
“I need to understand the business goals. I am speaking to them in terms that they are going to understand.”
This makes total sense to me.
Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language. To me, that means talking about the potential effect on enterprise objectives.
How else does a CISO help leaders decide between investing in cyber protection, a new product, an acquisition, a marketing initiative, and so on?
Now let’s see what EY has to say in Understanding the cybersecurity threat, perspectives from the EY cybersecurity Board summit.
EY does well by citing the National Association of Corporate Directors’ five principles from their Cyber-Risk Oversight: Director’s Handbook series. The first principle is on the right lines:
Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
I believe that it is not sufficient to talk about an “enterprise risk management issue”. We should be talking about managing the organization for success. Considering what might happen (risk) is part of how you set and then execute on objectives and strategies.
But apparently that this not how the delegates at the EY conference think.
The number two takeaway from the Summit is:
The board’s role is not cybersecurity risk management; it is cybersecurity risk oversight.
The board’s role is to provide oversight of how management achieves objectives.
As I keep repeating:
It’s not about managing risk. It’s about managing the organization for success!
There will be times when the board should tell management to take the cyber risk because the monies it would take to reduce cyber risk further are better spent elsewhere, such as on new product development.
If we believe that cyber is a business risk, then let’s act like it is.
Find a way to assess and talk about cyber risk in a way that enables informed and intelligent decisions that weigh those and other business risks against the rewards for taking risk.
Work with operating management to understand how a breach might affect what they are doing and what they plan to do.
Help them make informed and intelligent strategic and tactical decisions.
I welcome your thoughts.