Seeking to improve board presentations
One of my favorite aspects of my job is that I have the opportunity to partner with CISOs and their teams to help them continually improve in the eyes of their boards of directors, executive team, and cybersecurity/IT risk councils. During a conversation with a longtime client, he expressed an urge to present to stakeholders his team's major accomplishments in a way that they hadn't seen before. Rather than the usual CISO PowerPoint presentation on how they'd implemented A, B, and C, controls and been found in compliance with X,Y, and Z checklists, how could he truly impress these various groups based on the accomplishments of his team over the previous 12 months?
Too often, CISO's are condemned for the downside and not rewarded for the upside. The key is, how can you capture and communicate your accomplishments in a way that your stakeholders will understand and truly care about? Via the FAIR model and RiskLens application, we were able to help him do just that.
Focusing on the right IT risk controls
To prepare for this presentation, he sought to demonstrate that the team hadn't been focusing on simply having more controls, they had focused on uncovering which controls mattered most and those were the ones they had in place. To articulate this point, he chose to focus on the purchase of an Enterprise Mobility Management tool that had been a pillar of their annual technology strategy and that had significant leadership oversight.
He leveraged this chart in the presentation:
BYOD Current is their loss exposure before the tool, BYOD w/ EMM Solution is loss exposure following implementation
Rather than simply stating that his team had successfully implemented the EMM tool, he was able to demonstrate that the implementation of the tool had led to an average annual risk reduction of about $22 million. As a result, his board and executive team were able to more clearly understand the significance of this accomplishment as it was presented in a way that resonated with them, rather than technical jargon.
Driving out audit inefficiencies
A challenge this CISO had faced for most of his tenure at this organization was an inefficient means for his team to resolve audit findings. Often, time was wasted while his team and the audit group debated the most appropriate findings to prioritize immediate action. In an effort to resolve this, he quantified the risk associated with particular audit findings and presented in a chart like this:
Risk associated with three audit findings expressed in monetary terms
This chart clearly shows the center scenario associated with patching compliance carries the most potential risk. By translating the risk exposure into monetary terms the organization was able to clearly articulate which audit findings presented the most risk to the business, leading to a more efficient means of resolution. Eliminating this pain and inefficiency from their risk management program is another accomplishment that resonated with his key stakeholders.
This forward looking CISO was able to improve the way he presents his team's accomplishments throughout the organization by quantifying via the FAIR model and RiskLens solution. While "check the box” approaches to cybersecurity create overspending in various areas and unacceptable levels of risks in others, quantification allowed him to demonstrate he was focusing on the right controls and leading an increasingly more efficient program.