Board directors and senior executives are obligated to govern their organizations’ cyber risk management efforts. To this end, they are being educated by such organizations as the NACD or the Big 4 on foundational concepts of information security and cyber risk management. One such approach developed by Jack Jones, Chairman of the FAIR Institute, advocates a set of diagnostic questions Board Directors should ask the CISO to determine an organization's ability to achieve cyber risk management success.
Jack was invited to provide the introductory remarks related to these questions at a Business of Security event I hosted in Columbus, Ohio in partnership with Jeff Schmidt and the Columbus Collaboratory. Jack set the stage for a rousing panel discussion with four local security leaders where he stated “If I was on your board I would be your worst nightmare!” It was all in good humor as Jack is a bit of a legend within this information security community where he served as CISO of Nationwide Insurance, the incubator of sorts for Factor Analysis of Information Risk (FAIR™).
Michael Radigan is founder and executive director of Business of Security, a consulting firm specializing in quantifying cyber risk in financial terms. This post originally appeared on his LinkedIn page.
Jack explained the catalyst for putting together “Five Questions the Board Should Ask the CISO” was the discussions he was having with board directors and discovering the profoundly flawed underlying assumption they were operating from – that the CISO was actually prioritizing their organizations efforts effectively and choosing cost-effective solutions when expending those resources.
In Jack’s experience, both CISO’s and the information security profession as a whole, are found to be deficient regarding risk measurement and prioritization. He stated “Our problem space is incredibly complex and dynamic. And we have finite resources. That means we have to be good at prioritizing. And we are not.”
The following Five Questions allow the Board to baseline their organization’s ability to cost-effectively manage cyber risk. Jack noted he advises the board their CISO probably won’t be able to answer them satisfactorily, however they should observe how the CISO responds and the extent to which he or she agrees or disagrees with the basis for the questions.
Question 1: Do we know what our crown jewels are and where they’re located?
Diagnostic purpose: To understand whether the organization is able to appropriately protect the assets that represent the most value and/or liability to the organization.
Jack’s Commentary: “If we haven’t figured this out, what are the odds we are really focused on the things that matter?”
Question 2: What are our top ten cyber risks?
Diagnostic purpose: To evaluate whether your organization has a clear and accurate understanding of what a risk is, a fundamental prerequisite to accurate measurement and effective prioritization.
Jack’s Commentary: “I will guarantee few of the things in the top ten list will actually be risks. They may be an important part of the risk landscape but they aren’t risks.”
Question 3: How much loss exposure (in economic terms) does the top cyber risk represent?
Diagnostic purpose: To gauge the CISO’s understanding of modern risk measurement methods and receptiveness to quantitative methods.
Jack’s Commentary: “Ask the question, see how they react, and if they say it can’t be done, give them a homework assignment. If they come back again with the same answer, it may be time to find a new CISO!”
Question 4: Who is allowed to measure cyber risk in the organization?
Diagnostic purpose: To gauge whether the organization recognizes that reliable risk measurement requires certain skills.
Jack’s Commentary: “The honest answer will be anybody on the staff that can wave a wet finger in the air. Would you let just anyone measure your credit or market risk in this manner? Measuring risk is an analytic function, this is not something just anybody is capable of doing.”
Question 5: What is the prevailing root cause behind execution failures and deficient controls?
Diagnostic purpose: To understand whether the organization is able to identify and treat common/systemic causes of execution failures (which drives most non-compliance, security failures, and poor performance).
Jack’s Commentary: “No organization that I have walked into is doing root cause analysis, rather only proximate cause analysis. There are two downsides, every time we have to fight the same battle again we have an exposure we shouldn’t have and we are wasting resources going back to that battle over and over again.”
The Bottom Line: Today’s standards and compliance frameworks, as well as common maturity models and benchmarks, can be useful risk management tools. They do not, however, focus on the fundamental need to measure risk accurately so that risk management decisions can be well-informed. Nor do they address the need to identify and treat the root causes behind execution failures.
By examining your organization through the lens provided by the five questions discussed above, you can better understand your organization’s ability to prioritize its risk management efforts effectively, and treat the root causes of execution failures.