Do you dread reporting on cyber risk to the board? Have you ever felt that board members were left confused by your descriptions of cyber risk in terms of threats and vulnerabilities? Did your board members ever challenge your presentation and ask, "What does this mean to the business?"
You are not alone. This communication divide, with board members and business executives on one side, and information risk officers on the other side, is now a reality in many companies as cyber risk has been added to the board agenda and must be treated as a business risk.
Innovative Value-at-Risk models such as Factor Analysis of Information Risk (FAIR) can help resolve this communication divide. They enable information security and risk professionals to articulate cyber risk in financial terms, a language that the board and the business understands. Analyzing and reporting on cyber risk in dollars and cents changes the role of information security and risk professionals from one that focuses only on protecting the organization from a technical perspective to one where they deliver value to the board and enable effective business-aligned decision making.
Communicating the impact cyber risk has on business outcomes provides two fundamental benefits:
Enable Financially Driven Business Decision Making
- Moving beyond FUD: Traditionally, board and management-level presentations about cyber risk have been conducted at a technical or qualitative level and often leveraged FUD (Fear, Uncertainty and Doubt) to gain approval of security initiatives. Presenting the impact of cyber risk and of possible risk mitigations in financial terms allows the board and executive management to engage, to participate in the decision-making process and to fulfill their cyber risk governance duties.
- A business-aligned communication approach allows the organization to capture and translate the wealth of data that it is already collecting, in financial terms. This becomes actionable information that the business understands and can use as a basis for effective decision making.
Support Conscious and Explicit Choices About Managing Cyber Risk
Using financial risk data can help organizations to proactively decide where they want to be on their risk and security investment continuum.
- Making explicit choices: Risk posture is a choice, whether implicit or explicit. Every choice made as part of a risk program or security influences where the organization ends up risk-wise. Making explicit choices based on actionable, easy-to-understand financial risk data greatly increases the chance for an organization to improve its risk posture.
- Understanding trade-offs: The availability of financial risk data allows organizations to achieve the right balance between the level of investments they are ready to make and the amount of risk they are willing to accept.
- Managing risk versus compliance: Analyzing risk in dollars and cents helps organizations move beyond compliance check-box exercises and move to a true risk-based and business-aligned approach to cybersecurity.
- A financially-driven, risk based approachalso helps executives understand the business impact of decisions and select the risk mitigations that actually help the organization succeed.
If you are ready to learn how to communicate effectively to boards of directors and business executives and get a seat at the business table, consider learning more about FAIR and its community of FAIR practitioners at the FAIR Institute.