How to Talk Cyber Risk With Executives
- by nlqip
Beyond the overall status of the program, you need be able explain cyber risk in terms that executives can understand. Keep it simple and remember this important nuance: many people don’t realize that risk has two components: likelihood and impact. For example, some people tend to react to catastrophic impacts (what are we doing about Pottsylvanian hacker-spies?), which are rare, while overlooking the more likely risks (like ransomware). If a threat is prevalent and in the news a lot, people will overestimate its likelihood (such as insider data leakages) without looking at the actual statistics (around 10% of reported incidents5).
It shouldn’t be hard for you to find likelihood data. In addition to industry statistics and open source threat intelligence,6 you can gather information internally within your organization. Sources of data can include data like that used to create the radar chart above, as well as firewall, intrusion detection, web, and mail system logs.
Impacts are easier to talk about because these are what keep folks up at night. However, you need to move beyond vague feelings of dread and help people understand the real potential impacts to your business. Impact costs can vary greatly depending on your industry, your data scope and compliance, business functions, and how much you outsource. However, you as a cyber security expert are in a better position than anyone else to describe those impacts to the board. Talk in terms of tangible and intangible losses that resonate with them, including:
- Tangible costs:
- Breach disclosure costs (PII record count x disclosure cost / record)
- Customer SLA fines
- Revenue loss during system downtime and recovery
- Compliance and audit fines
- Potential litigation and fines down the road
- Incident response costs, including internal resources (OpEx), third party breach experts, required remediation controls, and effectiveness testing
- Intangible costs:
- Impact to your brand (the business puts a value to this—usually found as an asset line item in your financial books)
- Current and future customer perception and loss
- Loss of business value in acquisition discussions
- Competitive advantage loss
- The board’s personal reputation and/or jobs
When presenting likelihood and impact, stick to the simplified High/Med/Low model. Everyone is aware that there are more layers, and most execs would understand a more complex model, but their time is limited and they just want the Cliff Notes version. In cases where the risk is high, then they will probably press for details.
Lastly, never present a problem without an accompanying solution. Make sure you have a solid mitigation plan (with proposed budget numbers) to resolve anything rated high risk. Executives want clear lines of responsibility among business owners—they want to know who’s responsible for remediation, and the budget from which the remediation tasks will be paid. Never present risk without clear information about ownership and responsibility. The chances are likely the board has already dealt with high risk, non-cybersecurity scenarios before. If you’ve done your job well in explaining, you can sit back and let them decide what to do. But, as the cyber security expert, you should still be prepared to give them guidance or validation.
The first time you do this, it might seem like a lot of work, but for effective CISOs, it is routine. Risk assessments and reporting with the board should be happening at least annually. The first risk assessment is the foundation which you update with new risks as things change within the organization. As cyber risk is better understood and managed, you might need to only present updates if something significant or material has happened. This is the ideal position—not only does it mean everyone is sleeping at night, it means the board trusts you.
Source link
lol
Beyond the overall status of the program, you need be able explain cyber risk in terms that executives can understand. Keep it simple and remember this important nuance: many people don’t realize that risk has two components: likelihood and impact. For example, some people tend to react to catastrophic impacts (what are we doing…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA