Greetings FAIR Instituters! I’m glad to be able to give you a summary of research that many of you participated in a few months ago. Before I do that, though, we need to rewind a bit further back in time.Last year, the Cyentia Institute collaborated with Focal Point Data Risk to produce a report titled the Cyber Balance Sheet. That first report utilized fairly open-ended interviews of security leaders and Board members to see where they aligned and did not align on a range of issues. One of the things I found most interesting is the “confidence disparity” that exists among CISOs and the Board (see Figure 1). In that report, we hypothesized that the type and quality of information communicated to the Board may be to blame for that disparity. And within that, poorly-assessed and poorly-presented views of “risk” were a prime contributor.
FAIR Institute Advisory Board Member Wade Baker, PhD, is Co-Founder of the Cyentia Institute and a professor at Virginia Tech’s College of Business for the MBA and Master of IT programs. Wade led Verizon’s Data Breach Investigations Report (DBIR) team for many years.
We wanted to dig into that hypothesis in this latest report. Specifically, the research questions we attempt to answer are:
- How is cyber risk perceived relative to other types of risk?
- What cyber risk information is reported to the board? What drives dialogue and value?
- How is cyber reporting viewed by the board? What drives confidence and satisfaction?
- How does cyber risk reporting — and reception — vary across roles and organizations?
I’m going to tackle the first two questions in this blog post. In so doing, I hope to pique your interest to read the whole report. There’s a lot of good information in there that I can’t cover fully here.
I’ll start with the first question--where does cyber risk rank relative to other types of risk. According to the chart below, most respondents rank cyber risk in the upper tier of risks they’re dealing with across the organization. We did see a marked difference between respondents with security vs. non-security roles (the former ranked it on top far more often). We did not see a pattern among organizations that place it toward the bottom. If there’s a simple answer to “If you’re this and that, you don’t/do care about cyber risk,” we didn’t find it.
It’s a bit complex visually, but Figure 20 below gives a view into the second question regarding what information is reported to the Board. The fact that security incidents, compliance status, program maturity, and threat trends are the most reported suggests that answering “What’s the danger and are we safe?” sits high on the docket for board meetings. This likely relates to the low confidence and high anxiety among directors we observed in our last study.
Things rearrange a bit when it comes to which topics drive boardroom dialogue. Notice how the risk appetite/exposure and 3rd party risk categories surge upward, indicating that the supply for those metrics falls short of the demand. Compliance, on the other hand, takes a nosedive.
The value-based view of metrics in Figure 20 offers a slightly different outlook. Most notable for the FAIR audience is that risk information appears comparatively less valuable. It’s curious that risk would drive dialogue, yet yield comparatively less value. I can’t help but wonder if this ties back to the way risk exposure is typically expressed (see Figure 15 below). Perhaps the stories, scales, and shades of cyber “risk” presented to the board isn’t very satisfying to a group of people accustomed to looking at risk more quantitatively and/or in a business context.
And that last point is exactly why I’m proud to be a part of the FAIR community. I’ve watched with interest and satisfaction as the FAIR Institute has grown. We have the incredible opportunity (I’d go so far as to say obligation) to offer Board members a more realistic, satisfying, and confidence-building view of cyber risk that doesn’t hinge on preschool-level counting and colors. I look forward to continuing to work with you all to change that conversation!
Download the 2018 Cyber Balance Sheet report.
2017 Cyber Balance Sheet Shows How CISOs Fail to Communicate to Boards – And How to Fix It [Infographic]