To quote SEC Cyber Enforcement Chief Kristina Littman, speaking at the 2020 FAIR Conference, “Willful blindness is never a good strategy from a legal perspective.”
Nicola (Nick) Sanna is President of the FAIR Institute
More from Nick:
This Is the Year of Operationalizing Cyber Risk Quantification
Here are three compelling reasons why ignorance is not bliss, when it comes to cyber risk management and the principle of “duty of care” that corporate officers and directors must meet.
Learn to analyze cyber risk in quantitative terms - take the FAIR Analysis Fundamentals training course.
What can be done by cyber risk executives to help organizations answer the “better not to know” challenge? Here are three tips that will turn those challenges into win-win situations.
1. Always present remediation plans along with top risk reports
The cybersecurity or risk team should present options for addressing cyber risks so that the business can make informed decisions on the most adequate cybersecurity responses, and create defensible rationales for justifying those decisions, in the event of legal or regulatory challenges.
2. Present the numbers as projections in ranges, not precise predictions
Business planning, including cyber risk management, should always account for uncertainty in probable outcomes, depending on the range of assumptions and the dynamic threat landscape. Express cyber risk in ranges, just as public companies make revenue projections. Be transparent about the assumptions behind the inputs for your risk scenarios. But, above all, stand by the range versus indefensible precision.
3. Consider translating dollar figures into qualitative scores
If the organization is less data-driven and there is a strong sensitivity by the legal team to presenting top risk assessments in financial terms, results can be translated to less controversial, qualitative terms, without sacrificing the rigor of the underlying quantitative analysis. Qualitative representations of risk could be in High/Medium/Low terms or ordinal scales such as 1-5.
In sum, blissful ignorance on cyber risk is not a defensible stance for organizations, but this doesn’t mean that you shouldn’t be mindful of the concerns of your legal team. Put yourself in a win-win situation for all parties involved.