Corporate governance expert and RiskLens board member James Lam tells the Wall Street Journal’s Cyber Daily (subscription required) that CISOs and CIOs should stop reporting on cyber risk with “silly” metrics like attempted malware attacks, when boards of directors need to weigh cybersecurity investment against other corporate priorities, based on financial measurements.
Metrics like malware attempts "drive me nuts," James tells the Journal. "If the number goes up, maybe it's because cyber criminals are becoming more active. If the number goes down, what does that mean – criminals are now in? That's not something you bring to the board.
“CISOs might say, ‘I can’t quantify potential loss’,” James continues. “I’ve heard that from other risk professionals for a long time. With cyber, unfortunately, we do have a lot of data on losses [so] you could quantify it. If CISOs push back on quantifying potential loss, I find that unacceptable as a director.” CISOs and CISOS “need to advance,” James tells the Journal.
Read Tech Leaders Should Avoid ‘Silly’ Metrics in the Boardroom, Risk Expert Advises by Kim S. Nash in WSJ Pro Cybersecurity’s Cyber Daily (subscription required)
E*TRADE Financial Corp., the online brokerage where James chairs the Risk Oversight Committee of the Board, manages risk from an enterprise point of view, evaluating cyber risk against risk related to financial regulation, fintech competition and changing investor habits, the Journal writes.
James is the author of Enterprise Risk Management (Wiley, 2003; second edition, 2014), a standard text and Amazon best seller in the ERM field, and more recently Implementing Enterprise Risk Management (Wiley, 2017).
A RiskLens board member since April, James thinks the FAIR model and the RiskLens Cyber Risk Quantification platform is the way for CISOs to “advance”. “I see RiskLens as the right product at the right time,” James told the RiskLens blog in April. “The association with the FAIR Institute gives the company a distinct advantage in terms of having a widely accepted risk quantification methodology.”
The Journal's interest in cyber risk quantification is another sign of rising expectations from boards and senior management for greater visibility into cyber risk management. James and FAIR model creator (and RiskLens Chief Scientist) Jack Jones recently were invited by the National Association of Corporate Directors (NACD) to co-write Getting the Right Cybersecurity Metrics and Reports for Your Board, a detailed guide for CISOs and CIOs to financial reporting on cyber risk. Membership in the FAIR Institute recently hit 3,600, almost doubling this year, and an estimated 30% of Fortune 100 companies are using FAIR analysis.