Trends in risk profiling and communication of risk in the businessA risk profile is a summary that provides financial impact estimates for all the risks associated with a business unit or activity. Risk profiles are documented and visualized using different methods but are typically based on estimates for the probability and impact of a list of identified risks. There is a recent trend towards the use of dashboards to articulate a risk profile in a visual manner. Visualization can highlight more than words and can serve to help organizational stakeholders spot trends and make revenue-impacting decisions with clarity and speed. Risk managers try many ways to visually capture reliable and telling data as well as depict such data with images that their colleagues, executives or board members — despite their varying roles and backgrounds — can easily understand. Data visualization exposes information and clarifies complex concepts, which allow quicker decision making. Simply put, it is easier to understand data when presented in a graphical format. This is especially true when the decision is more complex. But the best data visualization tools will allow you to efficiently and independently query the information you’re seeking and let receive customized alerts so you can make timely and informed decisions. But as a November 2018 McKinsey article pointed out, structuring of risk communication is usually poorly done. Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs) that are inconsistent and usually involve too high of levels of detail. Research from Osterman Research indicates that most IT and security executives use manually compiled spreadsheets to report cyber risk data to their boards; unsurprisingly, many board members are dissatisfied with the reports they receive.
What do actionable metrics look like? Making risk visualWhat do you measure to show what “good” looks like when it comes to cybersecurity? Experts suggest the following factors:
- Exposure and risk position for the overall firm, and then by segmentation of business unit, location or technological structure (network, cloud, node, etc)
- Number or frequency of attack vectors exposed in the firm by the business unit
- Allocation of resources in relation to the financial impact of the assessed risk
- Maturity score by NIST domain
- Cybersecurity spending as a percentage of IT spending, as well as per FTE
- Number of cyber risk FTEs as a percentage of information security and total IT personnel
SummaryFor both regulatory and financial reasons, Board-level executives need to have cyber risk information for business decisions. This means having access to drill-down capabilities that show gap analyses from the category to the control level for various frameworks or standards. This might include either the NIST Cybersecurity Framework, CIS Critical Security Controls, ISO27002 or various privacy standards such as the NIST Privacy Framework and the emerging California Consumer Privacy Act (CCPA). Dashboards that tie to these frameworks do exist, but they need to be able to be used for communication of actionable activities and resource allocation, not just as a reporting mechanism for regulatory bodies and shareholders.
Author Profile: Dr. Alea Fairchild, Principal Advisor, Technology Enablement , Ecosystm. Dr. Alea Fairchild is a technology commentator and infrastructure specialist, Alea covers the convergence of technology in the cloud, mobile and social spaces. She has a passion for the design and optimisation of physical spaces, exploring how technology can enhance user experiences. Alea helps global enterprises profit from digital process redesign. Outside of her work with Ecosystm, Alea is a Research Fellow at The Constantia Institute, which is a Brussels-based technology policy think-tank, focusing on innovation and technological advances and their impact on industry and society. She also teaches graduate courses in technology marketing at KU Leuven in Belgium. Alea received her Doctorate in Applied Economics from Univ. Hasselt in Belgium based on her research in the area of banking and technology. She also holds a Bachelor’s degree in Business Management and Marketing from Cornell University. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.