How many risk managers have wished they could stick a babel fish into the ears of the board?
Quantifying the unknown – through situational awareness, the identification of potential targets and vulnerabilities that could be exploited in the organisation – and then communicating that information to a non-technical business-focused audience is no easy task.
Yet, it’s one risk managers are now routinely faced with as formalised risk monitoring and reporting become the norm.
Being able to make cyber risk meaningful is hard because there’s no common language. While the board may understand the process from a strategic perspective – after all, monitoring and tracking performance and tweaking processes is part of the day-to-day machinations of running a business – it’s far harder to communicate technical issues without running into tech speak, or to explain how a change in the threat spectrum has created a risk where before there was none.
>See also: 3 things every CISO should know
Quite rightly, the board needs to be alert to fluctuations in risk as part of the decision-making process. But a chasm of understanding is still hindering that process, preventing the right decisions from being made. So how can the risk manager overcome the problem of getting ‘lost in translation’?
The first obstacle, and one that is often overlooked, is that ‘cyber risk’ is a subjective term, open to liberal interpretation.
The Institute of Risk Management (IRM) defines it as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems”.
However, such a definition still defines IT infrastructure as the point of failure, making it seem risk is still the preserve of the IT department. A far more productive definition would be to say cyber risk is the risk of compromise of business operations orchestrated via the IT infrastructure.
Cyber risk does of course need to be managed and responsibility assigned for it to be governed, but the perception of it as an IT issue is counterproductive.
So the first hurdle to overcome is to make sure everyone’s on the same page. Risk needs to be seen as vital to the sustainability of the organisation as sales projections, marketing initiatives and customer retention – all are forward thinking, all entail assessment, analysis and prediction, and all can influence the direction the company takes.
Once you’ve made this important distinction, it’s possible to see risk as a strategic motivator and to place risks in context in terms of the business, how it operates and what the impact might be of the realisation of that risk on the business.
The CESG recommends the team should “communicate using the same language as the business, [otherwise] the interpretation of risks can differ”. So think about what the board needs to know, and seek to make risk relevant to the business and stakeholders – this is the only way to ensure an enterprise-wide risk strategy.
Acknowledge issues that need to be addressed, such as problems with internal processes, as often there’s a level of self-censorship; communicate the advantages and disadvantages of particular courses of action; and speak plainly, using business terms, not IT jargon or acronyms, which can alienate the audience.
But a conversation is a two-way process and the onus is not just on the CRO or CISO. The board also needs to increase its understanding of cyber threats and that means brushing up on cyber security.
This will enable the board to appreciate risk as a necessary element of its defence and security as a function that enables the business to operate effectively.
Risk managers can help here by creating opportunities to help educate the board on cyber security issues, generating discussion around the topic, and devising programs that address emerging threats.
Common ground is then created which generates a greater sense of trust between senior management and IT. It’s only at this point that the board can begin to ask the right questions and enter into a meaningful dialogue when the CRO/CISO reports back to them on risk issues.
This is essential to adjusting the risk appetite of the business and how it relates to the corporate strategy going forward, as risk and strategy have to go hand-in-hand.
Working more closely with the board will also help facilitate better leadership, assigning and providing clear guidance on roles and responsibilities for different functions across the organisation.
This can be particularly effective when it comes to incident management, ensuring that each party comes into play in a seamless manner, with communications teams, legal teams and HR all working with IT to limit the impact on the business.
Many organisations will have taken onboard the 10 Cyber Security Steps advocated by GCHQ and may even have looked at the advice for Board Level Responsibility when seeking to implement an information risk management regime.
But they can often need assistance when it comes to translating the regime into practical risk management. And it’s not just the C-suite who is struggling – the CRO or CISO may feel out of step with current threats and seek external assistance.
A recent consultancy survey found only 41% of the 450 senior risk management respondents surveyed felt they had the skills needed to understand the impact of digital technologies. And those polled said they had sought to recruit the expertise they felt they lacked by bringing onboard cyber risk, fraud experts and, worryingly, even hackers.
The security industry has sought to capitalise upon the fear and confusion created by cyber risk by perpetuating the myth that risk is difficult to fathom and communicate. But a good consultant will seek to do just the opposite, communicating risk by mapping it to business strategy in such a way that both become intrinsically linked.
These individuals can act as a babel fish for the business, turning risk into real action, and bridging the divide between IT and the C-suite – at least until the board learn the lingo and become fluent in cyber speak.
Sourced from James Henry, Auriga