“It’s not a question of if but when” a CISO will be called in to brief the board of directors, RiskLens CEO Nick Sanna writes in a new article for Infosecurity Magazine – and Rule 1 is “Know Your Audience.”The typical board member is “a former business executive who has led a variety of operational functions and has an orientation toward financial metrics.” A director wants to hear straightforward, businesslike answers to questions such as
- How much risk do we have?
- What are our top risks?
- Are we spending too much or too little?
“Let’s be candid,” Nick writes. “Typical CISOs can’t answer the questions above in financial terms.” Instead, they’re focused on technical metrics, such as maturity scores achieved or controls implemented.
But now, “cyber risk quantification is enabling a completely new way of communicating and reporting on risk.”
To make the point, Nick shares charts showing outputs from analyses on the RiskLens Platform, based on the FAIR ™ standard for cyber risk quantification.
“Dashboards, key risk indicators, ROI on security projects – this is a different level of communication than CISOs have been able to offer boards before” that “allows CISOs to make their support case in the bottom-line language the board wants to hear,” Nick writes.
Read the complete article Building a Cyber Risk Report Your Board Will Love in Infosecurity Magazine.
More recent recognition of FAIR and the business imperative for cyber risk quantification: