A CISO’s initial objective for a quantitative risk management program (QRMP), is often improving visibility of technology risks to a board or executive committee. While the risk analyst team gets to work with stakeholders to identify top technology risks, quantify them, and prepare reporting, there are preparatory activities that a CISO needs to do as well. Following is some advice from CISOs who have been there and done that.
Step 1: Set the Expectations of the Board
As I wrote in my previous blog post (CISOs: Ensuring a Successful Quantitative Risk Management Program Launch), successful quantitative risk management programs are built on the conviction of the CISO. The CISO envisions the value and makes the program happen. The same conviction is needed when preparing the board for quantitative reporting on technology or cyber risk.
Leanne Scott is a Customer Success Executive for RiskLens
Before that first quantitative risk report, set the expectation that a new form of reporting is coming. Provide a compelling business case for why change is needed and why change is possible, thanks to FAIR™, the international standard for measuring cyber risk in financial terms for business communication. Also explain the key benefits and the expected timeline for a QRMP. RiskLens customer success executives can help you prepare the message, present the information and/or provide support (for instance, to write a program charter).
Train your team in FAIR quantitative risk management. Learn more.
Step 2: Forge Relationships - Everyone Consumes Data Differently
One of my customers told me that his greatest takeaway from years of risk quantification is that everyone consumes data differently. Risk can be a hard concept to understand. Meeting one on one with board members to ensure they understand the meaning of risk (or loss exposure in FAIR terms) will help you compose your results and will set the stage when you report risks quantitatively the first time.
As an example from another customer, after the CISO set the expectation with his board, one of the board members asked to meet with him one on one. After 90 minutes of talking through the quantitative approach and reasoning, the board member was satisfied and gave the program 100% support.
Step 3: Commit to the Switch to Cyber Risk Quantification
Sometimes a risk organization will quantify cyber risks only to convert the information to the familiar heat map when reporting to the board. While there may be valid reasons for doing so, use quantified results to add value, even incrementally, to your reports. Perhaps that means adding financial ranges to your heat maps and financial values to your risk themes.
As the board appreciates the new insights quantification brings, more value can be added especially as you continue meeting with board members, learning how they consume data, and showing them the possibilities. Learn more here: 4 Steps to a Smarter Risk Heat Map.
After all the effort to implement a quantitative risk management program, you want the program to thrive. It will do so if stakeholders, and especially the board, appreciate its value and demand it. With some planning and preparation, you’ll have a captive audience.