First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Making intelligent and informed decisions around cyber


The experts continue to bombard us with their advice, insight, and guidance for addressing cyber.

One of those experts, KPMG, recently shared What’s next: Key cyber considerations for 2019. Unfortunately, I don’t think it has much to say that is new or valuable – it points out what we should all already know. Frankly, it’s more a marketing piece than thought leadership.

The FAIR Institute has probably the best methodology for quantifying cyber exposure. Their chairman has penned an interesting document, Understanding Cyber Risk Quantification, a Buyer’s Guide.

He makes a number of points with which I agree, including:

  • The cyber risk landscape is increasingly impactful, complex and dynamic, and organizations have limited resources to apply to the problem.
  • Furthermore, every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives.
  • It’s important to recognize however, that measuring risk quantitatively shouldn’t be a goal in itself. What is most important is ensuring well-informed decisions through reliable and meaningful risk measurements (whether qualitative or quantitative).

Unfortunately, the decisions envisaged by the author are what I would call siloed decisions. He talks about funds being allocated for cyber and how the FAIR methodology can be used to decide where to spend those funds.

The FAIR and other methodologies and guidance are not nearly as useful as we need in providing the information that executives need to make strategic and tactical decisions, such as:

  • How do I ‘aggregate’ the various risks to my business and its objectives? How do I see the big picture so I can consider whether the potential rewards from a new venture outweigh all the related (downside) risks? A cyber risk assessment using FAIR or other approach doesn’t give me something I can readily add to other business risks to see that big picture.
  • How much should I invest in cyber when (as pointed out in the FAIR document) “every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives”? When is it right to accept cyber risk?
  • How do I compare the value to the business of investing in cyber protection to the value obtained from an investment in new products or a marketing initiative?

I tried to address these and other questions in Making Business Sense of Technology Risk.

Have you seen an approach that works, providing management and the board the information they need to make strategic and tactical business decisions?

A list of risks, or a prioritized list of information assets, is not helpful in deciding whether to launch a new highly-automated product or open an office in Warsaw.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.