How CISOs Build Credibility with Boards on Cyber Risk Reporting

April 12, 2023  Jeff B. Copeland

The influential Director’s Handbook on Cyber-Risk Oversight, recently released by the National Association of Corporate Directors (NACD), sets its first principle as “Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.”

Board Meeting - Executive Board Reporting from RiskLens 3It’s also a challenge to CISOs and other security and risk executives – increasingly called to account by boards on cyber risk -- to move up from the technical details of vulnerabilities patched or controls added and see cyber risk from the board’s point of view.  

Questions about Cyber Risk Management that Boards Want Answered: 

  • What’s the return on investment for our cybersecurity program? Boards have a fiduciary responsibility to oversee management’s performance based on clear financial metrics showing cyber risk reduction for dollars spent.
  • What threats pose a material risk to our organization? CISOs should be able to present a ranked list of top risks for financial impact and show how the organization is cost effectively prioritizing security initiatives against those risks.
  • What is our aggregate risk? An important function of the board is to guide management to develop a risk appetite statement based on quantified tolerance levels.
  • Are we in compliance with the demands of our regulators who increasingly want to see quick reporting on material risks and ongoing reporting on aggregate risk in financial terms? (See the expected new rules from the SEC.)
  • How do we compare in cybersecurity risk and performance to industry average benchmarks? Directors make benchmark comparisons across a range of metrics (financial performance, executive compensation, etc.) and cybersecurity management should follow in line.

The RiskLens Executive Board Reporting Service Answers Corporate Directors’ Concerns about Cyber Risk 

Executive Board Reporting, a new service from RiskLens, provides customized, quarterly cyber risk reports in non-technical, business-friendly formats with financial metrics suitable for presentation to the board, executive leadership, and other critical stakeholders. These reports include top risk and aggregate risk reports, measurable risk appetite statements, key cost-benefit analyses and more quantitative cyber risk analysis.

3 Ways RiskLens Executive Board Reporting Builds Credibility for CISOs, CROs and Other Risk and Security Executives

1. Risk quantification based on an open, trusted, and defensible standard: FAIR™

 RiskLens bases its cyber risk analysis work on FAIR (Factor Analysis of Information Risk), the only open and independently-validated standard for cyber risk quantification (CRQ) in financial terms, recognized by the NIST Cybersecurity Framework and other authorities. In a marketplace crowded with “black box” solutions for cyber risk analysis, RiskLens provides a defensible answer to the inevitable question from the board, “Where did you get the numbers?” 

2. Aligned with NACD and other guidelines for boards on cyber risk oversight and governance

The NACD Directors Handbook on Cyber-Risk Oversight and the World Economic Forum (WEF) Principles for Board Governance of Cyber Risk both recommend boards demand reporting on cyber risk in business-friendly, non-technical terms. The WEF says, “Instruct management to establish a consistent framework, using industry-accepted risk quantification models, for calculating the potential economic impact and likelihood of cybersecurity scenarios” – essentially an endorsement of the quantitative, scenario-based methods of FAIR.

 3. Grounded in industry benchmark data on cyber risk

The RiskLens data science team maintains the industry’s most comprehensive set of cyber risk benchmark data to support the RiskLens quantitative risk analytics platform. CISOs can demonstrate RiskLens data science credibility with our My Cyber Risk Benchmark tool and the RiskLens Annual Cybersecurity Risk Report.

Cyber risk quantification offers the most effective way to create a common language between technical and business decision makers. For more than a decade, RiskLens has served hundreds of organizations of all industries and sizes, and with a range of CRQ priorities and unique reporting needs. Contact us to learn how the Executive Board Reporting service can bring the benefits of CRQ to your organization.