Articulating Risk to Senior Management: Enabling Informed Decision-Making
At InfoSecurity Europe 2015, I was privileged to moderate a keynote panel “Articulating Risk to Senior Management: Enabling Informed Decision-Making”. The panellists were David Cass, Senior Vice President & CISO for Elsevier; Mike Pitman, CISO and Head of Information Security at John Lewis; James McKinlay, Head of Information Security at Worldline and Thom Langford, CISO of Publicis Groupe.
We started by talking about the level of risk an organisation may be comfortable with. Thom said that this is unique to each business, but most find it hard to define their risk appetite. There are plenty of tools available such as ISO/IEC 27005, and many firms choose a Red, Amber, Green (RAG) approach. James mentioned the gap between the perception of risk in information security and how enterprise risk management is handled. He says information security professionals need to build bridges with corporate risk committees to help overcome this divergence. David commented that the level of risk an organisation is comfortable with may vary between departments and not necessarily align with the risk appetite of the entire business. Mike asked whether we should attempt to define a risk strategy before attempting to reduce risk to an agreed level. He believes that we should try to reduce high-level risks immediately while developing a risk acceptance level framework in parallel.
Next we were challenged by the statement that there should be no such thing as cyber security risk, but rather business risk with cyber causes. James commented that cyber risks have been prominent in the press, making it a talking point with non-technical senior staff in an organisation. We need to learn the language of business to articulate the impact and risks to non-technical audience. David agreed that it makes it harder to connect to the business if we insist on “talking techie” (including terms like “cloud”). Thom asserted that we are one part of the business, like finance, legal and HR, and shouldn’t think that our risks are special. We should put them across in the same way other departments do – in the context of making money, saving money, etc. In general information security people don’t know how to do this, although it is improving in his view. Security functions came out of IT and have been thinking like IT, not in business terms. We have to understand that we’re not special.
Mike thinks that security in John Lewis is on the curve rather than behind it – he is a business-facing function. Reputational risk is huge in retail, and John Lewis have emphasised cyber in the risk register – in fact it’s at the top to focus people’s attention – and is embedded in risk registers throughout the business. I commented that in my experience, many risk registers tend to be about availability, do not contain information assets and are not threat based.
We talked about mapping new or changed business activities onto risks, and then onto the mitigation strategy. There were examples like an ongoing debate with marketing who want new features, or a new way of selling, or of tracking enquiries. These demands need to be balanced between the possibility of losing a customer thanks to additional authentication and having appropriate security controls to protect the business. Amazon was cited as an example of accepting the risk by implementing their ‘buy it now’ button to give increased revenue. I wondered whether debates of this type educate non-security people about risk thinking. James was passionate about using metrics such as the number of SRAs (security risk assessments) versus the number of new products to ensure that risk assessments actually take place.
We asked how we demonstrate a return on investment (ROI) for security. One solution was to make information security a differentiator – a unique selling point – that can attract and retain customers. Information security professionals were urged to understand what their business does – to read the company report and talk to the business. They should not sit in an ivory tower and dictate policy, otherwise they are limiting the ROI of the information security function. MillerCoors was cited as an example where the question was asked: how can security help you sell more beer?
In summary it seems there remain some real challenges for information security professionals in communicating cyber risks to senior management. However, with the right tools, a thorough understanding of what their business does and how enterprise risks are expressed, there has never been a better time to start.
Check out Peter’s Thought Leader video!
Want to see more Keynote videos? You can view all of them here.