Making intelligent decisions that consider cyber risk
Last month, I said People don’t know how to assess cyber risk.
I quoted from a McKinsey report (my highlights):
- Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
- Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
- At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”
Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):
- 85% of board members believe that IT and security executives need to improve the way they report to the board.
- 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
- 54% agree or strongly agree that reports are too technical.
- Only 33% of IT and security executives believe the board comprehends the cyber security information provided to them.
Why is that?
I believe it’s because most reports are either a list of risks or a list of prioritized information assets (produced by following guidance from ISO, NIST, or FAIR).
A list of risks may be technically sound.
But is such a list actionable information?
Does it help boards and executives make the quality strategic and tactical decisions necessary for enterprise success?
Protiviti recently shared the results of a CISO round table. Are the CISOs talking about changing the paradigm from managing a list of cyber risks to helping the organization’s leaders take the right level of risk and manage the business for success?
No. They continue to talk about their silos. Stories about breaches are interesting but may not relate to running the business to deliver value.
Executives need information that will help them decide how much to invest in cyber when those same resources could be applied to highly profitable investments in new technologies, product design, acquisitions, a marketing campaign, hiring, and so on.
They need to know the likelihood of a breach that would result in their failing to achieve their objectives as an organization.
CISOs and consultants complain that boards don’t understand cyber and information security.
It’s true: they don’t.
Why should they learn the language of cyber? They can’t be experts in everything, including not only cyber but financial management, hedging, marketing, product design and development, and so on.
No. Those charged with managing cyber have to learn how to communicate their concerns in the language of the business instead of asking board members and top executives to learn technobabble.
Even there was a member of the board that talked technobabble, cyber risk still needs to be translated into common business language so that everybody can see the big picture.
Cyber is just one of many sources of risk to enterprise objectives, and business decisions should be made based on reliable information and a view of the big picture, one that includes all the related risks.
My advice for CIOs, CISOs, and CROs:
- Take each of the organization’s strategic objectives, such as “revenue growth of 10%”
- Consider how a breach might affect each objective
- What is the magnitude of breach, what would have to happen, for there to be a significant effect on the achievement of one or more objectives – an effect that would be considered unacceptable by leadership?
- How likely is that?
- Communicate that information to leadership, but first work with those responsible for reporting overall risk to objectives and integrate cyber risk into their reporting
- Help the board and top management understand whether cyber-related risk, together with other sources of business risk, means there is an unacceptable likelihood of failing to achieve enterprise objectives
- Help leaders decide how to respond when the overall risk is unacceptable (i.e., the likelihood of success is lower than desired)
- In other words, help them manage the business rather than a list of risks or information assets
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Indeed, I turn to agree with you Mark’s. We all may have our specialties in a specific area or profession, but the bottom line here is how well and professional are you to making positive impacts or adding values to the organization even though we all report from diverse angles? That is, CIOs, CISOs, and CROs should be prepared to adapt strategies that could engender or clearly speak to the big picture in reporting on cyber risks that which will have the likelihood for managers/management to making quality decisions in the achievement of enterprise specific objectives.
I agree Mark. Risk specialists have one separate language, and IT people another. When concerted specialists talk – their talk is totally incomprehensible to the laymen of the C suite and boards. At best you gather, there is something important – but beyond that you are left clueless.
Risk/CISO/CIO people need to address executives and boards in a language they understand and focus on what matters to them. They essentially do not need to know “what has happened” technically, but they do need to know how it affect performance. They also need to know what is/can be done to handle the issue – and what the effect of those actions can be expected to be.
Cyber risks are no different from most other risks – these days just show more of these, and new “root causes” that most traditional risks.
Hi Norman, very interesting! And I cannot agree more. I am a technical person as background and I am working on different ways to better communicate these cyber/business risks.
However, there is one constant thing I see everywhere (and you also mentioned that many times): likelihood/probability.
I don’t have a risk background so I don’t know how “likelihood” is assessed in real life. I tried to find likelihood scales to follow examples and I don’t see one single guideline/standard about that.
Deloitte + COSO: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf
EY + IIA: https://chapters.theiia.org/pittsburgh/Events/Documents/IIA%20Lunch%20and%20Learn_Risk%20Assessment_2.4.13.pdf
In those two publications, you can find VERY different scales of likelihood. For example for FREQUENT (Maximum level of likelihood):
Deloitte + COSO: Up to once in 2 years or more
EY + IIA: Once within the next / every Quarter
What would you recommend as a guideline for this? I keep struggling to find a common language about likelihood and I don’t know how two different entities using different scales and mechanisms to measure that can agree on a common level of risk.
Forget about arbitrary scales…
I recommend you read this:
https://www.howtomeasureanything.com/cybersecurity/
Then for practical implementation this:
Highly regarded books and experts in the field of Risk and Cyber Risk, definitive must read and will answer all your questions.
Why do you believe the risk analysis results using FAIR are not actionable? Appreciate if you can elaborate a little.
The end product in FAIR is a list of information assets or risks. That doesn’t help executives or the board understand how technology-related risks might affect the achievement of each enterprise objective.
The end product of FAIR is a report in business terms, it is not an asset register or an entry in a risk register.
Of course one could technically be doing a FAIR analysis and present at the end an asset list or a risk register entry, but that is not the objective of FAIR and would be a failure up the practitioner but not of the FAIR methodology.
I agree with your analysis. We as the technologists and the management must change the way we report technical issues to the Board for them to make sense of the technical jargon we are feeding them with.