CIO Dive's takeaway: “The board of directors wants risk articulated in terms of tradeoffs and return on investment. (But) the current iteration of risk evaluation heat maps is akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.”
Writer Samantha Ann Schwartz goes on to extensively quote Lam and Inglis, from their appearance on the "Pen Testing Your Board Pitch: An Interactive Exercise" at FAIRCON19 – a session that had some audience members squirming as participants re-enacted a typical CISO board report, with risk inexactly presented on a heat map.
"Heat maps are one of the worst things that happened to risk assessment," James Lam is quoted. “Can you image a CEO coming in saying ‘Our sales were green, and our expenses were yellow, so profitability was orange’." Chris Inglis said "these charts are designed to make us uncomfortable."
“Having a methodology behind risk assessment like Factor Analysis of Information Risk (FAIR) provides consistency in evaluation and quantification,” Schwartz writes. “From there, a risk team can use data to make scenarios and assumptions” in the same financial terms on which the rest of the business runs.
"Then the team can tie the context of the risk appetite back to a place the board can understand," Schwartz continues, such as:
“It’s a ‘breath-taking moment’ when someone from IT can say they read the business plan during a board pitch," the article wraps up, quoting Inglis.
Lam and Inglis each capped off the session with their 5 questions/talking points that any CISO should answer for a killer board presentation.
James Lam:
Chris Inglis:
With the RiskLens platform, powered by FAIR analysis, IT and cybersecurity teams have escaped the heat map and are communicating cyber risk in financial terms. Set yourself up for a breath-taking moment at your next board presentation – contact us to learn more.