At RiskLens, we study and try to exemplify the principles in The 7 Habits of Highly Effective People by Stephen R. Covey, especially Habit 2: Begin with the End in Mind. While the book refers to self-improvement with this habit, we expand its meaning to our daily work in the cyber risk field. Whether a person is building a product or planning a meeting, she starts by asking herself, “what is the outcome I want to achieve?”
I was thinking about this in terms of CISOs reporting on cyber risk to the board of directors. Being a CISO of an organization, you may not think you are in a position to report to the board, but I assure you that is changing. Among our customers, we are finding it more commonplace for CISO’s to do just that. If they aren’t already, boards will soon be asking tough questions about cyber preparedness and gauging whether the CISO is prepared to answer those questions.
So, start planning for it. Habit 2 is about leadership and knowing the right things for you and your team to be working on and working towards. Your team is undoubtedly busy; we continually hear about understaffed risk management departments. But are their activities progressing down the right path and to the right end?
|“To begin with the end in mind means to start with a clear understanding of your destination. It means to know where you’re going so that you better understand where you are now and so that the steps you take are always in the right direction.” Stephen R. Covey|
Think about your end: When you finish your presentation to the board, what do you want the directors to know? Your score on a maturity model that doesn’t translate to a whole lot of anything? Or the financial exposure of your organization’s top cyber and technology risks.
How do you want them to feel about the status of cyber risk in the company? Unsure and scared that they’re going to get hit with a lawsuit? Or comfortable that you have a full grasp on what’s most important to the company.
How do you want them to look during the last minute of your presentation? Bored, confused and oh so happy you are almost done? Or alert, fully engaged and asking questions about your assumptions.
The board is not composed of technical people and lower level operational data or defensive statistics are not what they are interested in any way. They want to know what cyber risks exist that could prevent the company from achieving their strategic objectives. And they want to know how you are cost-effectively managing those risks.
Read more: A Board's Wish List for the CISO
Working backwards, what information do you need in order to satisfy those outcomes?
- The strategic business objectives of the company
- The business processes that directly enable the achievement of those strategic business objectives.
- The assets that support those business processes
- The top risks (loss events) to those assets and business processes
- The loss exposure of those risks communicated in terms that the business understands (monetary)
What data is needed to compile that information? Since you want the loss exposure to be expressed in monetary terms, you can use FAIR risk analysis to calculate those results. That means that for each of your top loss events you need the following data for those assets:
- What kind of data are on those assets? PII? PHI?
- Data about prior losses on those assets
- Trend data about attempted attacks
- What controls are protecting those assets
- Who are your primary threats?
- When an outage occurs, what is the response plan? Is it thorough, complete and tested?
- What biproducts could occur because of the outage?
You can get a sense for how this data is used in one of our case studies.
Ask yourself these questions about your data:
- Do you have this data documented?
- What tools need to be implemented in order for you to obtain a complete picture of this data?
- With whom do you need to have a good working relationship in order to get the data and help you need when you need it?
Once you have the data you need to produce loss exposure in financial terms of each of your top risks, you have relevant information to share with the board.
To make that last leap towards reaching your “end in mind,” fine tune your presentation and message points. Undoubtedly, you will present loss exposure amounts that are uncomfortable and worrisome, and you won’t feel so popular. But that’s an opportunity to demonstrate your preparedness. For instance, addressing the top risks to the organization, you can show the alternative mitigation solutions you have identified and show return on investment. Over time, you will report on the status of those projects and how your company’s top risks shift as solutions are implemented, as business objectives are updated, and as the threat landscape changes.
A board of directors needs to know that the company is cost-effectively managing cyber risk. “Starting with the end in mind” gives a CISO, a well-thought-out target to plan for and achieve, instead of going into a meeting with just another status update of your business-irrelevant metrics. In working backwards, you can start by ensuring your company has the technology and tools necessary to provide the right data that will roll up to the right information of interest to the board. Don’t wait too long to start this endeavor; the CISO’s time is coming.
The RiskLens platform is the only application purpose built on FAIR to power cyber risk analytics from the financial perspective that boards need. Gartner calls cyber risk quantification a must-have for integrated risk management. An estimated 30% of the Fortune 100 now run the FAIR model in their risk management shops.