1. Enable Financially Driven Business Decision Making The effectiveness of Chief Information Risk Officers (CIROs), CISOs and other risk and security professionals as facilitators of business decision making depends on the implementation of a financially-driven, business-aligned approach to managing information risk.
- Beyond FUD: conducting board and management-level presentations about cyber risk at a technical or qualitative level, often based on FUD (Fear, Uncertainty and Doubt), doesn't allow for objective business analysis or effective decision-making and should become a thing of the past
- A modern communication approach will capture and translate the wealth of information that an organization is already collecting, conscious or not, in financial terms that the business can understand and use as a basis for effective decision making
2. Support Conscious and Explicit Choices About Managing Information Risk
Using financial data helps organizations to be proactive in deciding where they want to be on their risk and security investment continuum.
- Risk posture is a choice: whether implicit or explicit. Every choice made as part of a risk program or security influences where the organization ends up risk-wise
- Trade-offs: an organization can chose to either invest more resources and experience less risk, or to invest less and experience more risk
- Compliance vs. risk: most organizations treat this decision as a compliance check-box exercise with little regard to the real risks the organization faces
- A financially-driven, risk based approach helps executives understand the business impact of decisions and select the controls that actually help the organization succeed
3. Reset a Failing Information Risk Program
Stop confusing non-IT stakeholders with technical jargon and learn to communicate effectively to boards of directors and business executives.
- Utilize a common language that all stakeholders (board of directors, operations and IT) can understand: dollars and cents
- Help them understand the organization's exposure to cyber risk in financial terms
Provide a decision-making framework for prioritizing risk mitigation, optimizing security investments and transferring risk