By Norman Marks, CPA, CRMA
I like to tell risk practitioners that when they report to leadership, they need to:
Tell them what they need to know, not what you want to say!
There’s a huge difference!
So many people make this mistake and swamp the board and top management with technical information, rather than the business information that leadership needs to know.
What leaders need to know varies, but it typically comes down to one thing: they need information to make the right strategic and tactical decisions and take the right risks necessary for success. (Success, for me, is the achievement of enterprise objectives. That is how the performance of the CEO and other top executives is typically measured by the board.)
In Making Business Sense of Technology Risk, I refer to a recent study by Osterman Research. In How board boards of directors feel about their cybersecurity reports, they concluded:
- 85% of board members believe that IT and security executives need to improve the way they report to the board.
- 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
- 54% agree or strongly agree that reports are too technical.
- Only 33% of IT and security executives believe the board comprehends the cyber security information provided to them.
This is stunning. Board members are saying that the cyber reporting they receive is not helping them run the business. Is it surprising then that the board is not providing InfoSec professionals with the support (time and resources) they are looking for?
Boards and executives typically receive reports that include some or all of the following:
- An assessment that cyber risk is high, medium, or low. The assessment may be in the form of a heat map, and it might be part of an overall risk report, typically a list of risks (again rated high, medium, or low)
- A list of risk-ranked “information assets” (as suggested by the prominent cyber frameworks)
- The assessment by management – by a chief information security officer (CISO), if there is one, or the chief risk officer – as to whether cyber risk is within the organization’s risk appetite
- Assessments of the adequacy of risk defense, detection, and response capabilities
- Information about the actions that are planned to address any identified weaknesses
- Requests for additional resources
But does this information help top management and the board make the strategic and tactical decisions necessary for success?
A recent report by McKinsey & Co, Cyber Risk Measurement and the Holistic Cybersecurity Approach, revealed that:
- Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). However, the reports are often poorly structured with inconsistent data and too much detail.
- Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
- At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”
CISOs need to find a way to let leadership know whether the possibility of a severe cyber breach — one that will prevent or at least significantly inhibit achieving enterprise objectives — is at least reasonably likely. Ideally, they will point to specific objectives and help board and executive team members know to what extent they are at risk and likely to fail. They should work with the CRO so that the leaders can see the big picture: all the things that might happen, including but not limited to cyber, that could prevent success.
When I was an executive in IT, my team had the responsibility for developing both IT disaster recovery plans and business resumption plans. We performed a business impact analysis (BIA): If there were an outage, how would the services provided by the business be affected? How long an outage could the business survive without severe consequences? How likely is a severe loss of service? How much resource does it make sense to invest to reduce the impact and/or likelihood to acceptable levels?
We need to do the same BIA for cyber.
Instead, we are influenced by the public reports of massive breaches. Yet, according to the Ponemon Institute’s latest Cost of a Data Breach Report, the average cost of a data breach is just $3.9 million. Rand’s Examining the Costs and Causes of Cyber Incidents, found that:
“…cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%).”
Every organization needs to perform a BIA that considers the nature of its business and how a breach might affect it. Provide leaders with the information they need to make intelligent and informed decisions on whether the level of risk is acceptable and, if not, how much to invest in some combination of defense, detection, and response.
Leaders need to make decisions – and need information, such as:
- What is the likelihood of a breach or combination of breaches that would affect the business so severely that we would not achieve our objectives (revenue, market share, profit targets, etc.)?
- Which objectives would we fail to achieve?
- Can we bring the risk down to acceptable levels? If so, what are the options, how much risk would be mitigated, how long would the risk be reduced, and what would those options cost?
- Can we afford that? Where is the money coming from?
- Does it make business sense to invest in cyber at the expense of investing in a new marketing campaign, product development, or new technology?
- Should we defer or even cancel technology-intensive projects that will increase cyber risk, such as advanced automation?
- Do we have the right management team to address cyber?
CEOs should work with the CRO, CISO, and CIOs to make sure actionable information is provided to board and executives.
Tell them what they need to know so they can perform their leadership and governance responsibilities. Understand the decisions they have to make, the information they need — and then give it to them.