By Christophe Veltsos, PhD
April 25th, 2016
A recent report by Deloitte entitled 10 Questions You Should Be Asking to Embrace Risk and Lead Confidently in a Volatile World contains key recommendations for business executives to ensure their organization’s survival in the face of uncertainty. The main themes of the report include the need for executives and directors to be aware of their own biases, to value differing opinions, to protect the organization’s reputation, to prepare for the next crisis, and to ensure lessons are drawn from every crisis. However, the last two questions stand out as they relate strongly to the cybersecurity field:
Question 9 – “Is my risk team giving me the confidence I need to make high-stakes decisions?“
The report cautions business leaders about the danger of looking at the risk function as a mere exercise in compliance. It also warns about the use of language and terminology that can feel foreign to these leaders. So, how should an organization report on its cybersecurity efforts to enable leaders to make confident decisions? How can the CISO elevate the conversation, to provide expertise and consultation to the business leaders on matters related to cyber risks?
Question 10 – “Am I engaging our board’s expertise to navigate uncertainty?”
Here Deloitte reminds executives to fully leverage the expertise the board can provide. However, to fully leverage the board’s help, the business has to ensure that information is presented in a way that is clear, consistent, and easy to understand by people with various levels of expertise in the particular domain presented. This is especially true for the cybersecurity domain. How can the business present cybersecurity-related information in a clear, consistent manner that is easy to understand by executives and directors?
To bridge the gap between the CISO, the executives, and the board, one can look at the MAPP approach: Maturity Assessment, Profile, and Plan. This approach works by first assessing the maturity of the organization’s security processes. This assessment can then be translated into diagrams and visuals in support of high-level presentations and discussions with executives and directors about the organization’s current cybersecurity profile, and how to best direct future investments to balance cyber risks while supporting the business’ ability to grow. The MAPP approach enables the information security and risk leaders to become a strategic partner of senior management.
“MAPP helps CISOs create and communicate an information security roadmap to guide the organization’s security activities.” — MAPP White Paper