Over the holiday break, I watched Don't Look Up on Netflix. The film is a comedy about two astronomers trying to warn humankind of a planet-killing comet hurtling toward Earth. In one hilarious scene, they brief “President Orlean” (Meryl Streep) in the Oval Office. Watch this video clip:
I couldn't help thinking of the astronomers as risk analysts or CISOs reporting on cyber risk to executive leadership in an organization that hasn’t made the move to quantitative risk analysis with FAIR™ (Factor Analysis of Information Risk). The scene is played for laughs, but there are some lessons on communication for FAIR risk analysts here (though if your leadership team is anything like the Orlean Administration, you are probably out of luck).
FAIR (Factor Analysis of Information Risk) is the international standard for quantifying cyber and technology risk in business terms. RiskLens is the only SaaS platform built to apply FAIR in a simplified and scalable way to the challenges of managing cybersecurity risk.
Know Your Audience for Risk Analysis
We've all been here before, albeit with much less at stake. You have identified a risk (luckily, not a comet headed towards Earth) and need to communicate it to the C-suite or the board. Don't follow the lead of Dr. Randall Mindy (Leonardo DiCaprio)! He starts with a far too detailed description, which bores the audience. Although everything he says is accurate and it makes sense to him, he loses their attention right away.
Jason Orlean (the president’s son, played by Jonah Hill) says: "I'm so bored. Just tell us what it is."
Kate Dibiasky (Jennifer Lawrence) almost saves the day by clearly stating the issue at hand: "What Dr. Mindy is trying to say is there is a comet heading directly towards Earth."
Unfortunately, the damage has already been done. Dr. Mindy lost the attention of the audience by getting too detailed. He does a better job of communicating the magnitude of the risk when prompted by a question:
Jason Orlean: "Then what happens? Like, a tidal wave?"
Dr. Mindy: "It will be far more catastrophic. There will be mile-high tsunamis."
Thankfully, none of us has to relate to anything of this magnitude, but imagine you've identified an event so significant that it could close the doors of your business if it occurred. You would want to communicate that as clearly as possible to avoid any confusion and cause a response. Dr. Mindy gets straight to the point so that the impact of the event is clear to the audience.
Takeaway: Get to the point! Communicate clearly and concisely when reporting risk.
Avoid Point Estimates for Risk Probability
President Orlean: "How certain is this?"
Dr. Mindy: "There's 100% certainty of impact."
President Orlean: "Please, don't say 100%"
President's Aide: "Can we just call it a potentially significant event?"
Dr. Mindy: "99.78% to be exact"
Jason Orlean: "Oh, great, OK, so it's not 100%"
President Orlean: "I'm gonna call it 70% and let's just move on"
Jason Orlean: "Let's just use, like, 60% as a working number."
Author Kevin Gust is a Senior Risk Consultant for RiskLens. Learn about RiskLens cyber risk consulting services.
First, I love how this dialogue exposes the problem with using qualitative labels like "potentially significant" while also calling out the tendency for different people to understate or overstate the same risk (i.e., 100% versus 70% versus 60%). This sounds like a conversation we might hear in a FAIR training course.
Now, "how certain is this?" is a question we've all received at some point and Dr. Mindy answers it based on his calculations. In the movie, the math supports Dr. Mindy's claim of 100% certainty. In the real world of risk reporting, however, we know we rarely (if ever) report anything with 100% certainty. The good thing is that FAIR allows us to report in ranges of probability and account for uncertainty. For a different example, compare the two statements below:
There is a 32.71% probability of this event occurring in the next year.
There is a 25-40% probability of this event occurring in the next year, with a most likely probability of 33%.
Which is more likely to be accurate?
Takeaway: Recognize issues with qualitative labels and inherent bias when gathering inputs. Report using ranges to account for uncertainty.
Don’t Get to "Sit Tight and Assess" in Risk Management
The punchline of this scene is towards the end of the clip, when President Orlean concludes: "At this very moment, I say we sit tight and assess."
The astronomers can’t believe the ridiculous response, given the gravity of the situation. Although this is a fictional example designed to evoke humor and outrage at the same time, I wonder how many risk analysts have heard a similar response when presenting risk upward?
The burden is on CISOs and cyber risk analysts to prepare the way for a more rational discussion with C-level or board audiences before a crisis hits. Some tips from a RiskLens blog post, Reporting on Emerging Threats:
>>Build credibility over time by reporting on risk in quantitative, financial terms.
Quantification paves the way for leadership to understand the effectiveness of cybersecurity programs, set risk appetite and view cyber risk in the wider context of enterprise risk.
>>Focus on the critical assets for business operations.
Define and quantify with FAIR the loss event scenarios for those assets and build a risk management strategy around those high-impact scenarios.
>>Future-proof your risk register.
Risk register entries should be phrased as FAIR risk scenarios, with a threat actor impacting an asset by some means. When a novel threat or vulnerability breaks in the news, create new scenarios to cover them, and over time you’ll find you can more easily work up ready answers to the risk concerns of leadership.
I hope you enjoyed this scene from Don’t Look Up as much as I did and that the lessons learned will give you a better chance of reporting effectively to avoid the "sit tight and assess" response next time you report to leadership.