« Return to Blog Listing

How to Communicate the Impact of Information Risk on Business Outcomes

How to Communicate the Impact of Information Risk on Business Outcomes

by Jack Jones on Apr 30, 2015 1:06:00 PM

communicate-information-risk1. Enable Financially Driven Business Decision Making

The effectiveness of Chief Information Risk Officers (CIROs), CISOs and other risk and security professionals as facilitators of business decision making depends on the implementation of a financially-driven, business-aligned approach to managing information risk.

  • Beyond FUD:  conducting board and management-level presentations about cyber risk at a technical or qualitative level, often based on FUD (Fear, Uncertainty and Doubt), doesn't allow for objective business analysis or effective decision-making and should become a thing of the past
  • A modern communication approach will capture and translate the wealth of information that an organization is already collecting, conscious or not, in financial terms that the business can understand and use as a basis for effective decision making

2. Support Conscious and Explicit Choices About Managing Information Risk

Using financial data helps organizations to be proactive in deciding where they want to be on their risk and security investment continuum.

  • Risk posture is a choice: whether implicit or explicit. Every choice made as part of a risk program or security influences where the organization ends up risk-wise
  • Trade-offs: an organization can chose to either invest more resources and experience less risk, or to invest less and experience more risk
  • Compliance vs. risk: most organizations treat this decision as a compliance check-box exercise with little regard to the real risks the organization faces
  • A financially-driven, risk based approach helps executives understand the business impact of decisions and select the controls that actually help the organization succeed 

3. Reset a Failing Information Risk Program

Stop confusing non-IT stakeholders with technical jargon and learn to communicate effectively to boards of directors and business executives.

  • Utilize a common language that all stakeholders (board of directors, operations and IT) can understand: dollars and cents
  • Help them understand the organization's exposure to cyber risk in financial terms

Provide a decision-making framework for prioritizing risk mitigation, optimizing security investments and transferring risk

Schedule a Demo
This post was written by Jack Jones

Jack Jones is Co-Founder and Chief Risk Scientist of RiskLens. He has worked in technology for over 30 years, the past 28 years in information security and risk management. He has a decade of experience as a Chief Information Security Officer (CISO) with three different companies, including a Fortune 100 financial services company. His work there was recognized in 2006 when he received the Information Systems Security Association (ISSA) Excellence in the Field of Security Practices award. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012, he was honored with the CSO Compass Award for leadership in risk management. Jones, who lives in Spokane, Washington, has served on the ISACA CRISC Certification Committee and RiskIT Task Force, as well as the ISC2 Ethics Committee. He is the author and creator of the Factor Analysis of Information Risk (FAIR) framework. He writes about that system in his book Measuring and Managing Information Risk: A FAIR Approach, which was inducted into the Cyber Security Canon in 2016, as a must-read in the profession.

Connect with Jack

Sign Up for Blog Updates

Recent Posts

Popular Posts