A Forbes online article makes the observation “When CEOs Talk Strategy, 70% of the Company Doesn’t Get It.” The article goes on to say that even in high-performing companies with “clearly articulated public strategies,” only 30% of employees can correctly identify their company’s strategy.
When visiting prospects and customers, I have witnessed the same misalignment especially in their cybersecurity and technology operational risk initiatives.
In fact, the information risk profession, with its emphasis on compliance checklists as the measure of success, actually promotes heads-down, IT-centric management without a “big picture” perspective on the organization’s overall mission, vision and financial objectives or its critical assets, business processes and internal/external resources that ensure success.
The result is dead-end conversations like this:
Chief Technology Risk Officer to a C-Level risk committee: “We have a high risk facing our company called jailbreaking the cloud. Our employees utilize mobile devices which may include compromised apps providing cybercriminals a way to attack our private corporate systems.”
CEO response: “Please put this into perspective for me… We are currently dealing with assessing and paying claims as a result of two hurricanes, supporting losses far north of $2B. Explain to me how “jailbreaking the cloud” is relevant. What’s the probability of this happening and what is the potential impact to our organization?”
The most successful risk management operations that I encounter include the following three elements:
Clarity of Business Objectives
Within the scope of cybersecurity and information technology operational risk, C-Level executives need to clearly articulate the mission, strategic goals, and financial objectives of the organization to the organization’s risk committees, CIO, CISO, CRO and CTRO. Only then can risk associated to the strategic assets, business processes, and people be evaluated.
Responsibility, Accountability, and Authority to Manage
As a US Air Force veteran, I understand chain of command and the significance of rank and, in most cases, a higher level of rank designates a more complete understanding of the overall mission. Along with clarity of mission, a higher rank designation includes additional responsibilities, accountability, and appropriate levels of authority to manage and execute.
On multiple occasions, I have walked away from prospect or customer risk advisory meetings where risk executives tell me that they cannot define critical assets or processes supporting the most important functions of the business.
Inherently, CIO’s and CRO’s should already understand the organization’s strategic objectives, cost, and revenue structure, therefore it’s natural for most in these positions to put risk into perspective.
I mean no disrespect by making this statement… If you are a CISO, CTRO, or senior risk management executive, and you can’t identify when the confidentiality, integrity, or availability of strategic business assets are at risk, your contribution is questionable and your career is limited.
Alignment of Risk Management Activities
Once we have established that you are of sufficient “rank” or better yet, you’re well-informed and responsible for measuring, analyzing, and reporting on risk from a business (economic) perspective, now it’s time to align risk management activities with the priorities of the business.
Risk scenarios will still come from audit findings, your controls group, threat intelligence teams, and other internal/external sources. It’s your job to know the strategic objectives of your business to contextualize the analysis results.
Learn More: An Executive’s Guide to Cyber Risk Management
Let’s replay that earlier conversation, with a more meaningful context:
Chief Technology Risk Officer to a C-Level risk committee: “The number one risk facing our company is called jailbreaking the cloud. At least 50% of our 4,000 employees utilize corporate-connected mobile devices which may include compromised apps providing cyber criminals a way to attack our private claims processing systems, potentially enabling cybercriminals to divert up to $550M of hurricane claims payments to non-authorized payees.”
With the restated risk scenario in C-Level business terms, we have identified an asset or business process, a threat actor, and a potential loss magnitude. With respect to the “big picture”, this would be very relevant to the company.