The secret to motivating leadership about digital risk?

There is no digital risk

Originally Published at CSO Magazine

Awareness campaigns — though important — are not enough for senior leadership. What can you do to help them understand and engage in digital risk management? Here are 4 practical steps you can take.

Almost every industry has had its “poster boy” a digital incident by now. These have ranged from classic cyber — like account hack-and-theft — to more emerging types of digital incidents — like an accidental exposure of sensitive data to the cloud or global-network-crippling misconfigurations. The answer we always hear after an incident is we need to make employees more aware! That only part of the answer. You need to give the right people — your executive leaders — more than awareness. Give them motivation.

Despite the countless hours of sleepless nights that go into cybersecurity awareness campaigns like October’s National Cyber Security Awareness Month (and I know all about lost sleep, as I was part of the internal implementation of NCSAM at the Department of Homeland Security for seven years), cyber and digital incidents keep happening. The Chief Information Security Officer is paraded before Congress or the Executive Board and summarily fired. Policies get written. Life persists and the cycle continues.

This, of course, is changing with an increase in corporate executive responsibility for digital incidents. We saw it with Equifax CEO Richard Smith, who appeared before Congress to take “responsibility” for his company’s massive credit record breach—but not before placing culpability on the shoulders of an individual in Equifax’s IT department. One has to wonder, had Equifax’s senior leadership team been more engaged and motivated in managing digital risk, would that patch have been the sole responsibility of a single IT staffer and might Smith still be CEO today?

Of course, it takes more than job security to motivate an executive, but not much.

So, what else can we do to motivate our business leaders?

1. Recognize that there really is no such thing as cyber or digital risk

I hate to burst bubbles but pick another noun. There are digital factors, digital enablers, cyber exposures, and so on. At the end of the day, these all result in losses to the business. In a digital world, digital risk is business risk. We can continue to think “cyber” and “digital,” but we need to communicate to our leadership in terms of business risk.

Case in point; I know I shouldn’t eat so many cheeseburgers, but I go to my doctor to find out about my risk of a heart attack, not my “Cheeseburger Risk.”

If your leadership lives and breathes risk categories like Market Risk and Strategic Risk, you will be hard-pressed to elevate Cyber Risk into that list, even though they are aware that cyber is a big deal.

If your organization has a published risk register or list of risk categories, start there and find the overlap. Focus your communication against those risk categories that have the most digital exposure.

2. Go the extra step in communicating impact

If as CISO or CSO, you have a concern about a particular digital exposure, your best bet is to paint a picture of tomorrow using your leadership’s concerns as motivating factors.

Take the time to do the tabletop or thought exercise necessary to imagine and articulate how compromise of that digital exposure can directly lead to a leak of intellectual property, for example. Then take it a step further and frame the impact using their risk category. The risk is not “intellectual property data can leak.” The risk is “we lose strategic advantage and are unable to compete.”

Placing a loss impact on a scenario is challenging, to be sure. There is still no actuarial table for digital scenarios. However, if you are able to articulate a business loss scenario and work with the business lines (not your business information security team), they should be able to help you estimate a potential impact range. Even a wide loss range with a 90% confidence provides business information value.

Working closely with your lines of business is also a terrific source of non-cyber, digital loss scenarios you might not have considered.

3. Use real numbers in your reporting, not subjective ones

Risk communication is not about ghost stories and boogeymen. Your business leaders have great instincts and need real numbers to make decisions, not hunches. Traditional heat maps based on expert judgment provide little objective data for leadership. Likewise, a list of three or four compliance or performance metrics without context and business impact are not valuable as Key Risk Indicators (KRIs).

Find a risk framework that allows you to use input from your cyber and other business systems to construct digital exposure scenarios. From these, you can communicate why improving your asset management is important and how the business can be impacted if you fail to improve, as examples.

This is not easy and can certainly be a challenge, with many disparate number formats and stove-piped systems to choose from. However, if you are able to key into the business risks that most concern your business leaders and demonstrate the direct benefit of improving metrics you highlight, leadership will be much more motivated to provide resources and support

4. Be consistent, but not static

Digital exposures are dynamic. Be consistent in the business risks against which you report and in the scenarios you use. Avoid the compliance trap, which is spending a full year or even a quarter in trying to fix two or three issues. When one metric is improving and the risk exposure to the business is reducing, you have an opportunity to elevate new and emerging metrics and exposures.

You should certainly, highlight past KRIs as they improve — to show your success and prove value in your program. There are, however, always new exposures or new scenarios to consider.

Corporate executives and other non-technical leadership are beginning to bear the responsibility for making wise decisions around digital risk. Part of the challenge in digital risk management is communication. Risk management is about identification and reduction, not elimination. The reflex response for many technical practitioners is to simplify risk communications so the non-technical can “understand it.” This leads to disengaged leadership who get caught unaware of the existential business risks exposed by technology.

Continue awareness for your employees as part of your cybersecurity program.  Get engaged with National Cyber Security Awareness Month. Awareness is a critical part of your organization’s cyber hygiene. However, shift your leadership reporting to business risk.

Reframing your risk reporting using categories that motivate leadership and backing up your conclusions with defensible measurement will break through a communications barrier that has long kept “cyber” from being a core part of business “risk” leadership.