How to Speak Cyber Risk (and Be Understood by the Business)

December 12, 2019  Jeff B. Copeland

The recent Advisen survey of corporate risk managers found that “business interruption” from a cyber attack is now a top worry – business risk and cyber risk are now seen as one and the same. That’s led to an urgent change in expectations that cyber risk should be communicated not in technical terms but in business terms, with the same cost/benefit approach that enables decision-making across the enterprise.

The RiskLens platform is a powerful communication tool for

  • Uniting the organization around a common standard for analyzing and managing risk. RiskLens operationalizes FAIR™, the international standard for quantifying cyber risk.
  • Running cyber risk analyses with outcomes in financial terms

Four Steps to Start Effectively Communicating about Cyber Risk 

1. Create a common understanding of cyber risk within your team. 

It’s an education process with a big payoff. Socializing the RiskLens way of defining risk according to the FAIR standard as a loss event with a quantifiable frequency of occurrence and magnitude of impact, literally changes the conversation in your team by getting everyone on the same page.

No more disputes based on differing definitions of “risk” as, for instance, “the cloud,” “nation state actors,” controls deficiencies or other elements that may contribute to risk but aren’t alone a loss event.

Secondly, cyber risk management the RiskLens way starts with transparent inputs – data from your organization and industry sources – and produces analysis in readily understandable financial terms, keeping the team clear on direction.

Learn more: 

To Make Your Risk Management Program Fly, First Fix Your Language

2. Communicate to cooperate with other teams (like Audit)

RiskLens Professional Services consultants frequently run into this situation: The Information Security team eating up a lot of scarce work time responding to audit findings based on a discovered deficiency in controls – without regard to whether that deficiency poses a quantifiable risk. By running a RiskLens analysis, Infosec teams are able to defensibly respond to Audit if the degree of risk just isn’t worth the effort.

Socializing the RiskLens/FAIR approach in the organization opens the door to communicate with the wide range of other teams, from Enterprise Risk Management to Legal to IT Operations to Business Continuity by presenting cybersecurity issues in the financial terms that they already use to communicate among themselves.

Learn more: 

When Internal Audit and Infosecurity Teams Play Nice Together

How to Ensure Your IT Risk Committee Speaks the Same Language

3. Communicate cyber risk to senior management and the board

It’s been a classic mismatch for a long time: The C-suite and board members are eager to understand cyber risk in strategic, financial terms – CISOs have only been able to respond with patch counts, maturity models, subjective heat maps and other tech-speak.

Quantified cyber risk analytics finally bridges that gap. A CISO can answer the big picture questions, such as…

·      What are our top risks?

·      What’s the ROI on our security initiatives?

·      What is our risk appetite?

·      Can we meet regulatory requirements on cyber risk?

…with a rigor that aligns with what they’re hearing from the rest enterprise risk management.

Learn more:

You Can Have Answers by Your Next Board Meeting

Directors: Cybersecurity HAS Joined ERM

4.   Align your cybersecurity program to meet the demands of regulators

 

Tougher cyber risk reporting requirements for public companies from the Securities and Exchange Commission, and for financial companies from the New York Department of Financial Services.  New activism on data privacy protection from the European Union’s GDPR, the California Consumer Privacy Act enforcers, the Federal Trade Commission and the state attorneys general. U.S. Federal Government mandates for better cyber risk assessment, management and reporting – based on impact to the agency.

All these developments drive home the point that organizations must have a defensible cybersecurity program based on a quantified approach to cyber risk that can stand up to outside scrutiny – and that organizations have a clear picture for themselves of their financial risk from data breaches or other cyber events that could put them in legal jeopardy.

Learn more:

Case Study: Using RiskLens to Meet GDPR and NYDFS Cyber Regulations

New on the RiskLens Platform: Out-of-the-Box Data on Fines & Judgments for Breach Risk Analysis