Norman Marks on Governance, Risk Management, and Internal Audit

Lisa Young has a lot of experience in cybersecurity and cyber risk management. (Look at her impressive LinkedIn profile.)

When she says something about cyber and cyber risk, we should listen.

Recently, she wrote a piece for ISACA, Getting More Value from Risk Assessments. I disagree with some of her comments (and have told her, hoping she will comment on this post so we can benefit from her experience), including:

• “The goal of effective risk management is to align the amount of risk taken with the enterprise’s risk appetite to meet the strategic goals and objectives of the organization.”
  • I believe the goal of effective risk management is to provide decision-makers and leaders of the organization with the information they need about what might happen, enabling them to make the informed and intelligent decisions necessary to achieve objectives.
  • I do not believe in the concept of a single risk appetite. Risk limits and criteria have value in some situations, but it is important to know when the potential reward exceeds the downside risk.
• “In a recent ISACA survey, 66 percent of respondents said their executive leadership team [ELT] sees value in conducting IT risk assessments. This is great news because a risk assessment can demonstrate value to the organization by identifying areas of concern, potential threats, and vulnerabilities to the information, data and technology systems of the organization before a risk is realized and an incident occurs.”
  • When only 66% of respondents (presumably CISO’s and similar) believe “their executive leadership team sees value in conducting IT risk assessments” that is terrible The number is probably lower (CISOs may believe the ELT sees value when that is wishful thinking).
  • I question whether the value is “some” or “sufficient” (to make the right decisions).
  • 33% of the ELT believe there is no value in IT risk assessments. That’s a lot!
  • “Houston, we have a problem!”
  • There are multiple sources of IT risk. I am not sure of the value of aggregating them. It would be better for decision-makers to be able to understand those that are relevant to their specific situations.
  • The value of any risk assessment should be in helping people make the informed and intelligent decisions necessary for success. Sometimes, cyber risk should be taken!

There is tremendous value in timely, current, and reliable IT risk assessments, but only if they are done well. That means that they meet the information needs of decision-makers. As Lisa says, “When risk is strategically and thoughtfully taken, there are opportunities for competitive advantage, entering additional geographic markets, or developing new products and services”.

Decision-makers need more than an assessment of the current level of cyber risk, perhaps compared to prior levels.

They need to be able to include cyber along with other sources of risk (and opportunity) when making a business decision, such as whether to proceed with the implementation of a new system, the launch of a new product, or whether to invest scarce resources into cyber or marketing.

What this survey is telling us is what we should already know: there is an immense gap between what board members and the ELT need to know and what their cyber practitioners are telling them.

They are talking in different languages.

While the board and ELT are concerned with revenue targets, customer satisfaction, and other enterprise objectives, they are being told by cyber practitioners about the “risk to information assets” (following guidance from NIST, ISO, FAIR, etc.)

There may be value in these cyber risk standards and frameworks in understanding the root cause of cyber-related business risk. But it must be translated into business language.

Some say that board members and the ELT need to understand cyber and cyber risk better.

I say that cyber practitioners need to talk to their customers in the language of the business. Tell them what they need to know, when they need to know. Talk about the potential effect on enterprise objectives or the strategies to achieve them.

That brings up another source of concern in Lisa’s article. She reports:

The top responses to the question of frequency of risk assessments was: Quarterly, 29 percent; Annually, 28 percent; Every 6 months (semi-annually) 18 percent; and Monthly, 14 percent, with other organizations somewhere between ad hoc/as needed/less frequent than once a year.

In a world where risk is changing dynamically, especially when it comes to cyber, how is this sufficient?

My advice is that risk (including cyber) needs to be expressed in terms of how it might affect the achievement of enterprise objectives.

Then cyber and the other sources of risk can be compared and aggregated as necessary to see the big picture.

If you want people to make the right decisions, give them all the information they need. Help them see that big picture.

It is with that hope (that people will move to assessing the risk to objectives, which is consistent with both ISO 31000 and COSO ERM) that I first wrote Making Business Sense of Technology Risk, and then modified it to focus on cyber risk with Understanding the Business Risk that is Cyber.

What do you think?