My congratulations go to James Lam, a long-time risk practitioner at E*Trade, and Chris Inglis, board member at FedEx, for their comments in a recent article. The piece says:
- The current iteration of risk evaluation heat maps are akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.
- “I’ve seen heat maps since the ’90s … and I still don’t know what to make of them. Looking at a heat map, the board is left to question the placement of risk. “Heat maps are one of the worst things that happened to risk assessment,” said Lam. “If I look at something in yellow, should I want it in the green? … or do I want to get closer to orange or red if I can get a return on the risk?”
- Traditional color-coded risk assessments fail to quantify risk in a manner boards are prepared to understand.
- If someone asks for $5 million for multifactor authentication, the board won’t know how to respond.
- It’s a “breath-taking moment” when someone from IT can say they read the business plan during a board pitch.
Inglis says he wants his risk assessment team and cyber defense to be able to answer five questions during a pitch:
- Are you defending the business or a component of the business, like digital infrastructure?
- Are the people authorized to take risk the ones who mitigate the risk?
- Has the security organization done everything defensible?
- How are they defending the business?
- Have you used all the instruments of power at your disposal?
I don’t think this goes far enough.
Quantifying the potential for a cyber breach to affect the business is a sound first step, but it is even more important to understand how such a breach might affect the achievement of enterprise (business) objectives.
Then, you can answer questions that should be posed by executive management and the board such as:
- Does cyber risk represent an unacceptable risk to the achievement of enterprise objectives? If so, which ones? This determination requires the involvement of both technical and business management.
- By how much would an additional investment in cyber reduce that risk? Will the investment be more than the reduction in risk? Why?
- Should the investment be in prevention, detection, or response, or a combination of those areas? Why?
- Can I afford that level of investment? Will it be at the expense of addressing another source of risk or seizing an opportunity? For example, will it mean that I will not have the funds for a marketing campaign, investment in new products or services, or an acquisition? How would it affect cash flow and earnings?
- What are my options and why is one recommended by business and technical management? Can we really manage cyber risk by ourselves?
Only when the business impact is understood does it make sense to get into the details of which risks to which information assets should be mitigated and how.
For more on this topic, including an analysis of the major cyber frameworks and standards, please see Making Business Sense of Technology Risk.
I welcome your thoughts.
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023