More frequent and more relevant to business strategy – that’s what board members expect from CISOs for reporting on cyber risk, veteran board director James Lam told the recent quarterly event in the 2022 FAIR Conference series. And no hiding behind technical-speak.
Watch the video of the presentation Critical Do’s and Don’ts of Cyber Risk Board Reporting at the Q1 event in the FAIRCON event series for 2022. FAIR Institute membership required to view – join now.
Lam currently serves on the board for the FAIR Institute and, until recently, chaired the risk oversight committee for the board of E*TRADE.
James Lam’s Don’ts of Board Reporting on Cyber Risk
1. Don’t do stupid. Showing the board a heat map is a good way to get shown the door. Many board members come out of a financial background and won’t sit still for risk “analysis” without rigor. “Heat maps are really not conducive to decision-making,” he said.
2. Don’t do lazy. Often in risk taxonomies, risk is described as a negative to a business objective. “You can’t really define risk as a failure to achieve a business objective. Downtime is not the risk; the risks are the underlying conditions that would lead to downtime,” some of which may be controllable, some not. Don’t settle for lazy thinking..
3. Don’t do boring. Don’t tell the board that your NIST maturity level is 2.3 and this year you want to be 2.8. “As a board member, I don’t want to spend my time hearing about how you spend your time. I want to know the critical insights and concerns pertaining to you. Maximize the things that are much more value-added.”
The Critical Do’s of Cybersecurity Risk Reporting to the Board
1. Discuss cyber risk in terms of strategic objectives and business opportunities. Use FAIR analysis to demonstrate return on investment for a security program.
2. Show the whole picture. Tell what keeps you up at night, where you would invest an extra dollar if you had it, the top five areas where you need to enhance security, etc.
3. Quantify risk in financial terms and particularly relate it to risk appetite. “I don’t want to just see a metric, tell me what is acceptable and what is not.”
4. Compare risk and performance to industry average benchmarks. “Directors always do that” across a range of metrics (financial performance, executive compensation, etc.) and cybersecurity management should follow that lead.
5. Support the board’s risk governance and oversight roles. Keep in mind that directors have a legal and moral obligation to oversee risk management strategy and processes, compliance with regulations, threats that might pose material risks and other concerns – and adjust your reporting accordingly.
Watch the video of the presentation Critical Do’s and Don’ts of Cyber Risk Board Reporting
Watch the Video from FAIRCON19: Perfecting a CISO Board Presentation with James Lam and Chris Inglis