Today’s security executives, such as CISOs, play a crucial role in helping the board and C-suite understand the growing and complex cybersecurity risks their organizations face. Corporate leaders want answers, but they need an “interpreter” who can spare them the technical jargon and help them align risk to business initiatives, such as new products, markets, and operational improvements, to support strategic decisions.
It’s not an easy task. In fact, SVP-level respondents to the 2023 RiskOptics Cyber Risk Viewpoints Report say the lack of understanding of cyber and IT risks from leadership is their biggest challenge.
The report addresses important questions that organizations face as they work to improve their risk management program. Here are seven.
Why is communication important to risk management?
When stakeholders can easily communicate and understand risk, it can begin to move from a reactive approach to a proactive strategic business advantage. This allows the C-Suite and board to bridge the gap between strategy and tactics when dealing with both risks and opportunity – all while enabling insightful decision-making to propel business growth.
Rather than serving as nay-sayers who put the brakes on strategic objectives, security executives need to position themselves further upstream so they are engaged in the strategic process itself. In this way, they can become enablers of strategic initiatives rather than nay-sayers.
How well are organizations communicating risk?
When it comes to how successfully organizations are actually communicating cybersecurity risk so that it factors into strategic decisions, the report uncovered a disconnect.
C-suite and SVP respondents were much more likely to say that they were “extremely confident” about leadership using cyber and IT risk for strategic planning than those who were closer to the front lines. This suggests that leaders may not fully understand their cybersecurity risks.
The great communication disconnect.
Leaders are more confident than security professionals in their ability to factor risk into strategic decision-making.
- 56% of C-suite and 65% of SVPs vs.
- 37% of managers and 44% of directors
Say they are “extremely confident” in risk-informed decision making.
Where is communication breaking down?
Given the pace of change, cyber and IT risk management remains a confusing space, even for those who work in it. In fact, only a minority of the survey’s respondents defined the terms “risk” and “threat” the same way.
- 45% defined risk the same way
- 47% defined threat the same way
How are security executives communicating the impact of IT risk on specific business initiatives?
When it comes to communicating risk to leadership, the report finds that most respondents are still using numbers such as risk scores that executives and board members may not find helpful, especially when they’re delivered without the context of how it impacts a specific business initiative – ideally, in terms of dollars and cents.
Worse, over a fifth (21%) say they do not communicate risk at all around specific business initiatives – a figure that reaches (36%) for manufacturers.
The message isn’t getting through.
Top ways that security executives communicate risk information
- Risk assessments and residual risk scores (65%)
- Answering specific questions given by leadership (64%)
- Sharing the results of an internal audit (56%)
- Assigning monetary amounts to cyber/IT risk (56%)
How often do security executives communicate risk?
InfoSec teams should be prepared to deliver risk information to leadership on a regular basis, though the survey indicates that this can vary considerably by industry. (See sidebar.)
The ideal cadence would be one that’s closely aligned to strategic decision-making and progress reviews so that new risks can be addressed as they arise.
Different industries communicate risk at different rates.
- Healthcare: Quarterly or monthly
- Manufacturing: Weekly
How can security executives improve communication?
More important than how often risk is communicated is that it’s done in a way that makes sense in the context of business initiatives.
Business leaders want to know how risk affects the goals they have set for the organization. For security executives, the best way to align risk management with strategic initiatives is to reach out to their leaders with questions like:
- How do you assess the risk in current or future business practices?
- How do you know what business areas are impacting your risk posture the most?
- If a control fails and increases residual risk, how do you know?
- What are you really trying to accomplish? What are you trying to keep safe?
Asking these questions will help collaborate with the business to align risk management with strategic priorities, determine risk appetite around each strategic initiative and seek ways to bring the risk within that appetite.
Is there any good news?
Yes! Communicating with leadership is moving in the right direction.
While some cyber risk and IT leaders experience difficulties when it comes to communicating risk to executives, 50% of respondents are extremely confident that leaders within their organization tie cyber/IT risk to strategic planning.
Likewise, when it comes to priorities, respondents note that they thought their organization’s leadership was prioritizing the identification and mitigation of cyber and IT risk ahead of other initiatives, such as supplying the latest technology or providing training.
The RiskOptics ROAR Platform provides a unified, real-time view of risk and compliance framed around business priorities, enabling CISOs and InfoSec teams to take a proactive approach to risk management while reducing manual work and surfacing hidden risk.
Quantify the impact of risk on your business, communicate that impact to key stakeholders and mitigate expensive data breaches, system failures, lost opportunities and vulnerabilities across your own and third-party data while adhering to compliance requirements.
Download the 2023 RiskOptics Cyber Risk Viewpoints Report now to learn more.