As co-founder and president of RiskLens, I spend a lot of time with C-level executives, managers, and analysts within our current and prospective customer base. I am observing that these three groups are subject to a rapidly changing environment within the overall technology and cyber risk management discipline.
- Technology risk = business risk. Following the so-called “year of the breach” in 2014, I have witnessed board members, audit committees, and C-Level executives try to understand the business ramifications of technology, and specifically of cyber risk. They describe conversations with risk managers that go something like this: “Thank you for providing us your top-10 risk issues and the technical education; but can you please explain what the financial impact of these high risk issues are, relative to other corporate risks?” or, “Is there an ROI for the security budget we provided to you, that either reduces or helps us more cost-effectively manage our risk?”
- Business-aligned reporting needed; got outdated tools? Some risk managers embrace the challenge and look for ways to meet the business needs of senior executives. Others raise barriers to change, become defensive, and continue to operate within their comfort zone. Technology risk managers often feel trapped between a rock and a hard place. They hear the requests for business-centric analysis from senior executives, yet their toolbox includes staff with outdated or limited skills, burdensome compliance frameworks, spreadsheets, heat maps, and processes that do not provide for quantitative analysis, in financial terms.
- Going beyond legacy approaches. I have witnessed the emergence of a new class of risk analysts that have drive, ambition, and aptitude to learn new quantitative risk analysis skills. These analysts sometimes are beholden to outdated processes, legacy compliance checklists, and mere qualitative risk analysis methods. When provided with the right tools, they are able to unleash a whole new set of value for the organization, speak in a language - dollars and cents - that the business understands, and ultimately help achieve the right balance between protecting the organization and running the business.
Improving Awareness, Education, & Platforms
After many customer engagements, we have recognized that three common steps are necessary to change the technology and cyber risk analysis paradigm:
- Start with educational sessions for C-level executives to enhance their awareness of new and credible technology risk measurement, analysis, and reporting capabilities. They are the ones that will most appreciate the value of analysis results in-line with business expectations.
- Continue by educating the managers and analysts on new models that allow the quantification of technology risk, such as Factor Analysis of Information Risk (FAIR). FAIR provides the foundation for translating technology and cyber risk issues into business terms.
- Demonstrate early wins of your new quantitative risk management strategy, by using FAIR-based software such as RiskLens. Here are some case studies demonstrating such early wins by organizations who have already gone down this path.
I believe the changing technology risk paradigm represents a choice for risk professionals between alignment with the 21st century business imperatives that can elevate their profile within their own organizations, or face a steady slide into obsolescence. An Oxford Economics study released in 2015 shows the number one issue employees face is obsolescence of their own skills. In next week’s blog, I will continue to draw on the observations of this blog and highlight where technology risk teams have been retrained or, in some cases, replaced to meet the needs of the business.