Organizations are investing more time and resources to best assess, analyze, and mitigate cyber risks. Often, an IT Security Council is tasked with reviewing the priorities of technology-related risks and their treatment throughout the organization.
As cybersecurity continues to pose an increasingly significant threat to the bottom line and the ongoing sustainability of business operations, the responsibility of this Council has increased in parallel.
As a result, it’s crucial for this team to have a unified and transparent approach to effectively communicate and ultimately make decisions regarding the treatment of their top risks.
Think back to the last time this committee convened for your organization. Was there disagreement, or maybe a struggle to reach consensus on risk prioritization and action plans?
Before outlining how IT Security Council can overcome this, let’s learn a bit more about them.
While there is no standard template for members who comprise this committee, we commonly see representatives from information security, IT audit, operational risk/ERM, compliance, legal, and/or line of business. Often times, the chief security officer for the organization will chair this committee.
This wide range of roles and responsibilities present in the Council allows for a comprehensive discussion of the overall risk posture, of what issues need most immediate treatment and of the efficacy of mitigation tactics throughout the organization.
IT Security Councils gather to continually assess an organization’s risk landscape and the effectiveness of the various controls and procedures in place.
This is typically done by reviewing risk assessments supported by commentary from a CISO or other senior security/risk executive and is intended to validate priorities and allow for the group to agree on action plans.
In a perfect world, consensus is reached without much headache. Top risks would be clearly identified and agreed upon, while mitigation tactics would be apparent. Unfortunately, this isn’t the case for many organizations.
A few weeks ago, I was speaking with the CISO of a large manufacturing company who came from an audit background. We got on the subject of internal communication related to cyber risk and he shared an observation he’s made during his tenure. During each gathering of his IT Security Council, members seriously struggle to communicate effectively and lack a common approach. The top risk assessments generated by his team are completely unrelated to the tasks the audit group outlines. The compliance team thinks one of the “orange” risks is actually a “red” risk. It’s a mess.
Long story short, their ineffective communication directly hinders their understanding of the true risks and therefore the decisions they make in order to treat. After explaining this is a challenge we run into regularly, we began discussing what can be done to resolve it.
What’s needed is for organizations to look at cyber risks as business issues rather than just a security or technology problem. From there, the implementation of a common taxonomy and system for assessing and making decisions regarding risk will allow for more effective communication among key stakeholders.
While this is truly a cultural shift, the organizations embracing an approach like this are finding common ground on understanding their threat environment, tracking risk exposure versus risk tolerance, and can defensibly show the effectiveness of key controls.
The FAIR risk model allows for more effective communication by outlining a standard language and internationally accepted model to translate cyber risk into financial terms.
By taking a step beyond traditional qualitative risk assessment methodologies like heat maps and ordinal scales, organizations are finding their IT Security Councils can make decisions that are risk based and economically driven.
The RiskLens platform is purpose built on the FAIR model and allows organizations to:
There’s no doubt that IT Security Councils will continue to play an increasingly important protective role for major organizations. As a result, it’s vital that they’re able to swiftly and effectively validate priorities and reach agreement on action plans. By translating cyber risk into financial terms, they’re able to do just that.
You’ve acknowledged that your IT Security Committee can improve communication and are intrigued by the concept of risk quantification, or considering risk in financial terms. But what’s the first step?
Some organizations decide FAIR training for key stakeholders is a great place to begin, others opt for adding a financial element to existing reports as a means of introducing the organization to this method.
While there’s no silver bullet answer, we’d love to discuss how we can help you and your organization embrace a more effective means to communicate.