CIO Dive is out with an article 5 Questions the Board Wants Answered During Risk Assessments that covers the recent FAIR Conference panel led by RiskLens Advisory Board Member James Lam – who also serves as head of the risk committee for the E*TRADE board – and FedEx Board Member Chris Inglis.
CIO Dive's takeaway: “The board of directors wants risk articulated in terms of tradeoffs and return on investment. (But) the current iteration of risk evaluation heat maps is akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.”
Writer Samantha Ann Schwartz goes on to extensively quote Lam and Inglis, from their appearance on the "Pen Testing Your Board Pitch: An Interactive Exercise" at FAIRCON19 – a session that had some audience members squirming as participants re-enacted a typical CISO board report, with risk inexactly presented on a heat map.
"Heat maps are one of the worst things that happened to risk assessment," James Lam is quoted. “Can you image a CEO coming in saying ‘Our sales were green, and our expenses were yellow, so profitability was orange’." Chris Inglis said "these charts are designed to make us uncomfortable."
“Having a methodology behind risk assessment like Factor Analysis of Information Risk (FAIR) provides consistency in evaluation and quantification,” Schwartz writes. “From there, a risk team can use data to make scenarios and assumptions” in the same financial terms on which the rest of the business runs.
"Then the team can tie the context of the risk appetite back to a place the board can understand," Schwartz continues, such as:
- How do we tie that to whether we should go to the cloud?
- How will it impact insurance?
- Do we need to add more controls?
“It’s a ‘breath-taking moment’ when someone from IT can say they read the business plan during a board pitch," the article wraps up, quoting Inglis.
Lam and Inglis each capped off the session with their 5 questions/talking points that any CISO should answer for a killer board presentation.
- Tell them what’s going on in the cyber threat environment
- Tell them our security posture from the outside looking in (pen testing, a security rating, etc.)
- What’s our security assessment from the inside looking out (NIST maturity assessment or time to detect, or other control metrics)
- Show cyber risk exposure in quantified terms
- Are we making the right decisions, based on cybersecurity scenarios? (For instance, if we reduce the time to detect, how is that going to reduce our risk profile?)
- Are you defending the business or something less than the business like the digital infrastructure?
- Are the people authorized to take risks aligned with the people charged to mitigate risk?
- Have you done everything in your power to make digital infrastructure defensible? And tell me how with quantification.
- Are you actually defending it? A people performance question: Are defenses working as they should in real time?
- Have you used all the instruments of power at your disposal? (For instance, other groups within the organization or the FBI or third-party pen testers.) Or are you just using what’s in your tool bin?
With the RiskLens platform, powered by FAIR analysis, IT and cybersecurity teams have escaped the heat map and are communicating cyber risk in financial terms. Set yourself up for a breath-taking moment at your next board presentation – contact us to learn more.