The stakes for board members in cybersecurity are higher than ever, with cyber attacks posing material risks to corporations, either by directly crippling operations or by breaching data on a massive scale, and regulators increasingly looking to hold board members accountable to disclose and get out ahead of cyber risks.
Against that background, Jack Jones, RiskLens Chief Risk Scientist and creator of the FAIR model for cyber risk quantification, joins a panel on data privacy and cybersecurity at the National Association of Corporate Directors (NACD) Global Board Leaders Summit, Sept. 23 in Washington, DC.
At the NACD Summit: Meet RiskLens executives, get your questions answered on the benefits of adding cyber risk quantification to your cybersecurity program with the RiskLens Platform. Visit us at booth 129!
Jack has long advocated that boards don’t get the clarity they need on cybersecurity from the typical CISO reporting, which runs toward imprecise scorecards like “maturity ratings” or highly technical jargon that doesn’t translate to the financial language of business.
In an article for the NACD Board Talk blog last year, Getting the Right Cybersecurity Metrics and Reports for Your Board, Jack and James Lam (RiskLens and E*TRADE board member and an honoree in the NACD Directorship 100) wrote that CISOs should report to boards in decision-oriented terms, such as:
- Value of enterprise digital assets, especially the company’s crown jewels
- Probability of occurrence and potential loss magnitude
- Potential reputational damage and impact on shareholder value
- Costs of developing and maintaining the cybersecurity program
- Costs of compliance with regulatory requirements (e.g., the EU’s General Data Protection Regulation)
Boards increasingly expect to receive reporting on cyber risk in the same financial terms used in the rest of enterprise risk management, such as interest rate risk, market risk, credit risk, operational risk, and strategic risk, Jack and James wrote. The FAIR model, on which the RiskLens Platform is built, quantifies cyber risk in just those financial terms.
There are plenty of signs that Jack’s message is breaking through and driving the demand for better reporting coming down from boards:
- The Wall Street Journal reported that that FAIR is “gaining traction” among major companies.
- Membership in the non-profit FAIR Institute recently passed 6,000, including representatives from about one third of the Fortune 1000.
- The SEC cyber risk disclosure requirements – frequency of cyber events, probability and magnitude of incidents, adequacy of controls, etc. – read like the outputs of a FAIR analysis.
- The National Institute of Standards and Technology (NIST) that maintains the Cybersecurity Framework (CSF), the most widely used cybersecurity standard in American business, recently published a “success story” case study about combining NIST CSF and FAIR.
Hear Jack at the Global Board Leaders Summit, Sept. 23 in Washington, DC in the morning session “Ask the Experts: Data Privacy and Cybersecurity”. And for a deeper dive into FAIR and the movement to cyber risk quantification, attend the 2019 FAIR Conference, September 24-25 at National Harbor, MD, near Washington, DC, sponsored by RiskLens.