Returning from the Shared Assessment Summit 2019 last week, I was struck by one repeated message: CISOs and Board of Directors members are still struggling to assess and communicate risk. Early in the Summit Agenda, a CISO Panel discussion on “What CISOs are facing today and in the Future” emphasized that CISOs are under a lot of stress. Steve Katz – perhaps the industry’s “first CISO” as Head of Security at JP Morgan in 1985 – struck a humorous note:
But other panelists referred to the “Life Inside the Perimeter Report: Understanding the Modern CISO [PDF]” study’s more concerning message: “Nearly 17% of CISOs are either medicating or using alcohol to deal with job stress.”
According to James Lam, President of James Lam & Associates, it is disruptive risks that are keeping Board members awake at night. Lam cited a National Association of Corporate Directors (NACD) poll finding that although 82% of Directors are confident their organizations can deal with known risks, only 19% are comfortable with disruptive risks.
Lam explains three types of disruptive risks in his NACD article “An Animal Kingdom Of Disruptive Risks (login required)” All can cause high impacts, the difference is in their likelihood and predictability. Take a look.
|Type of Risk||Avatar||Challenge||Solution||Example|
|Unknown unknowns||Black Swans||Predictability||Resilience||9/11|
|Known unknowns||Gray Rhinos||Inertia||Agility||Quantum cryptography|
|Known knowns||White Elephants||Subjectivity||Principled governance||Me too|
Lam then recommended a methodology for performing scenario-based analysis that can help executives get a better grip on disruptive risk.
Risk Frameworks and Risk Appetite Panel
Noting that cyber risk itself has been considered highly disruptive, the panel after Lam continued the exploration of how we can help executives get a grip. Paraphrasing Jack Jones, Executive VP of Research & Development and Co-Founder of RiskLens and FAIR Intitute: “Frameworks are either checklists of good practices (like NIST Cybersecurity Framework) or analytical methodologies (like Factor Analysis of Information Risk (FAIR)). While useful, checklists fail to connect the dots and can cause our critical thinking skills to atrophy. Perhaps that’s why, in my experience, this old advertising adage applies also to cybersecurity: ‘Half of the dollars we spend are wasted, we just don’t know which half.’ Quantitative risk analysis with FAIR can help us figure that out…”
In Boards we Trust Panel
This panel examined how to communicate risk to the Board, and some of challenges with the way Boards look at risk. Panelists noted that Board members can easily become overwhelmed – or over-PowerPointed – with technical cybersecurity issues. Shamla Naidoo, IBM’s former Global CISO, has observed frustration with CISOs: “Why is that the CFO brings 2 risks, Legal brings one big litigation risk, but the CISO brings 55 risks and a lot of confusion? We tend to overstay our welcome, and need to simplify our message. In the board room I am always under scrutiny and seeking to demonstrate my ability to be accountable and to lead.”
Chuck Yamarone, Board Chair for El Paso Electric observed: “Management should always offer a solution. The Board’s job is oversight, not to figure out solutions.” He also noted: “When I see silos I know I have a problem…” CISOs need to do their homework – clearly – and seek alignment with other business leaders before presenting to the Board.
At the same time, Boards have oversight challenges of their own. Naidoo said: “I think Board committee structures are fundamentally flawed and are creating silos.” The Board members on the panel agreed Naidoo’s observation is valid in some cases. Paraphrasing Yamarone’s comment: “We combat that by scheduling more plenary time with the whole Board, rotating people on committees, or cross-fertilizing membership. For example, we might have someone on both the Audit and Risk Committees.”