CEO to CISO: How to Debunk the Myths About Why Risk Management Is Difficult
Minding the communication gap
In this year’s annual PwC CEO survey,1 CEOs around the globe were asked to think carefully about the data they consider to be critical for making decisions about the long-term success and durability of their business. They were then asked to score how comprehensive the data was that they received. Over 87% felt that data about the risks to which the business is exposed is incredibly critical to success. However, only 23% felt the data was comprehensive. Even worse: CEOs felt that the comprehensiveness of the data had not improved dramatically over the past ten years! Why the challenge in quantifying and communicating risk?
We recently engaged in a lively discussion2 with two Risk Measurement and Risk Management experts, Jack Jones of the FAIR Institute and Gaurav “GP” Pal of stackArmor. Both shared interesting perspectives on the challenges that risk professionals face in quantifying risk. They also pointed out several myths that must be debunked before we can elevate the risk measurement profession to the point where risk professionals more effectively articulate risk posture and corporate priorities to their Boards and CEOs. Here are a few of these myths:
Myth # 1 – Not all risk can be quantified
In a recently published survey by Aon, only 24% of the respondents said that they quantified their top ten risks. This is a shocking statistic given that “as more organizations have tightened their risk management budgets in response to changing market factors, quantification is an effective way to prioritize risks and decide what corrective actions to take.”3 Jack Jones explains that everything in our problem space (as information risk professionals) can be quantified. One of the first steps is to ensure that we are truly clarifying what risk actually is. Many refer to damage to reputation/brand as a risk, however, this is really an outcome. For example, business interruption or cyberattacks, when made public, may result in brand/reputation damage. As Jack puts it, “brand damage never happens without a loss event that catalyzes it.” The key takeaway is to clearly understand the things we can measure—the areas that we can clearly define as risk.
Myth #2 – Risk measurement must be precise
As Gaurav Pal points out, the typical engineering mindset is to classify things as being either an art or a science. The science of risk management has been viewed as an art in the past, specifically as it relates to quantification because it has been so difficult to put real numbers behind the process. Jack points out that we need to “set aside the notion of measuring precisely. Accuracy is important to a certain degree of precision.” However, risk management does not have to be 100% precise. In the IT Risk space, we have enough data to compute risk to a fairly accurate level of precision. The FAIR methodology helps with this. This analytical model is an objective way to measure risk. FAIR decomposes risk into its discrete components and helps to define the type of data you need as inputs. This scientific approach is ground-breaking and rapidly gaining followers because of its inherent simplicity. The added value is the ability to use the experience of peers, who through their experience and risk maturity, help to identify and mitigate the risk factors that are common in the industry.
Myth #3 – Risk measurement is difficult
The risk landscape is dynamic and complex. Add to that the fact that most companies have limited resources. This is why it’s important to prioritize. If we’re not good at measuring, we won’t be good at prioritizing and won’t be able to tackle the key initiatives needed to effectively manage risk. To address the issue of accuracy versus precision, as a risk professional you must be diligent in scoping what it is you need to measure. For example, clearly define the threat agent or the asset at risk or the vector or the type of loss event. This has to be done before, and you can actually apply a methodology like FAIR. Again, Jack points out that, “FAIR, with a bit of rigor around scoping, makes risk measurement not nearly as difficult.”
Having full device visibility improves accuracy and precision. With a degree of certainty, risk professionals can analyze a complete list of assets and identify the ones at risk, the likely threat vectors and the potential loss events associated with that category of device. This is the first in a series of blogs where we will summarize this insightful conversation with Jack and GP.
Footnote: