In our previous episode of Risk Journeys Scott shared some Axio stories, from interacting with a CISO of a petrochemical refinery to the limit in focusing solely on HIPAA regulations when assessing risk. In this episode we talk about the power in effective CISO communication as well as Scott’s experience in the cyber solutions insurance business.
Not being able to communicate what you have to lose makes risk management a challenging business endeavor.
You often encounter CISOs having difficulty trying to get their message across to the other members of the management team. Can you share what you’ve experienced over the years?
It starts with the way the security community speaks amongst themselves. It’s not exactly in a language that is understood by other executives and often isn’t translated into a financial impact. Instead, there’s a lot of technical terminology. Or, a qualitative view of excellent, good, and needs improvement. And to complicate matters, we’ve seen organizations spend more and more money to achieve this excellent state, but still end up getting breached. So yes, the CISO sometimes has a bit of explaining to do and this can lead to challenging communication.
So how can CISOs address this communication challenge?
it starts with the right context. You will inevitably make the wrong decisions or not truly understand how to address security problems if your view of cyber risk is limited to current threat and attack trends. Assessments are crucial as a starting point, but how do you really take action afterwards? Saying you are successful at defeating 99.9% of intrusion attempts against the company means very little to others outside the security org.
Risk reporting is more than just a traffic light on your journey.
That’s a great segue into your role at Axio, helping change the mentality behind cyber reporting directives. Our team often talks about how insufficient a color chart with reds, yellows and greens is for risk reporting.
Yes. One must consider how much value and decisive action a CFO and the Board of Directors can take form analyzing a color chart of security risks. At the end of the day, business leaders need to understand what cyber or digital risk means to them from a monetary perspective and what they ought to pay attention to in a language that makes sense to them: like dollars and cents. Imagine a cybersecurity leader who did an assessment the prior year and said the organization completed 13 of 15 things on their improvement roadmap. And s/he points to 12 tiles showing performance areas. Eight are green, two are yellow, two are red. So from a first impression, it seems like they’re doing a good job from relative terms. But risk is much more than just a traffic light.
So perhaps one of the tiles may be an $82 million type of event. What do you really know about it:
- How could it happen?
- Why would it happen?
- Somebody’s motivated to make that happen perhaps?
- Are we doing what we should be doing, to protect against it?
- How do we stack relative to our peers?
- Do we know that other people have that same type of risk?
- And If they do, what are they doing?
- Are we doing what they’re doing or are we doing it better, if that thing does happen to us?
- And let’s not forget: what’s our recovery plan? Do we have enough insurance?
Fortunately, Quantification enables you to prioritize your risk attention based on what’s going to make the biggest impact for the business, and/or be the most detrimental to the business.
Looking at cyber insurance as an insider and outsider
Given your extensive experience in the cyber solutions insurance business, we had to ask about themes seen at Axio as we continue to build and perfect cyber risk management information systems.
In regards to insurance in general, a lot of times companies will set their insurance retention or deductibles, based on what they can pay out of pocket and not get hurt by in the public sphere by industry analysts and subsequent changes in stock price. But do they have tools to calculate the number?
So, imagine a company that decides to set insurance deductibles at 5 million dollars. Consider it an explicit indicator of their risk perception. Let’s say they have a loss of over 5 million, then they will be compensated for it, but if it’s under 5 million, they can take the hit and be fine. That sends a clear message of their view on financial health.
This type of analogy is actually aligned so closely to what Axio is working so hard to make simple: Quantification.
Quantification answers a similar question in uniting the CISO and the CFO to work together in making appropriate decisions. It essentially allows business leaders to pay attention based on what’s going to make the biggest impact for them, or conversely the most detrimental to their business.
This concludes our third episode of Risk Journeys. In our fourth and final episode, we take a step back to talk about the power of understanding the current state of your cybersecurity program. We quickly learn it’s much more than finding a starting point for a roadmap. We also get a bit personal and learn Scott’s favorite part of his job.
Thanks for reading Risk Journeys! Every week we highlight a different team member, sharing their story and viewpoints.