CISO Summit No. 27: Reporting and Risk Communication: What are good approaches based on experience?

It is very simple: CISOs need more security investments to improve security.

Decision-makers want to innovate businesses and create more revenue. In this role, decision-makers must be risk-takers: no risk means no new business. On the other hand, CISOs feel responsible for the company’s security and hate to have serious incidents. The anger would be even higher if a serious incident could be avoided with a recently rejected security project proposal. And the natural tendency of CISOs is to be risk averse. CISO must be aware of this opposing attitude of the decision-makers.

In the analysis of optimizing this ecosystem, there are two tools CISOs are using:

Reporting: This is how decision-makers receive information: There was sufficient education for them, and they know how to process the information.

Risk communication and reporting: Cyber risks are not in the core competence of decision-makers. And cyber risks are competing with many other risks for funding. The usual way of risk evaluation, likelihood, and anticipated damage is somewhat shaky because it is often a quite heuristic approach. Science and companies are developing new tools for making the risk assessment process more transparent and with better traceability. Does this change the mind of the decision-maker? Of course, there is still a gap between formal risk and business impact. But only business impact is relevant for decision-makers, and CVSS vulnerability scoring does not usually trigger any action.

Addressees of these efforts are board and executive management. Both addresses have different roles, and we want to elaborate on these roles and the variation between the various companies that will be present.

This summit aims to enrich each other with strategies, a successful mix of reporting and risk communication, and a topic and methodologies that look great but could be better in this context. Marcel Zumbühl will open the board perspective. We can learn how to prepare the communication with the most important facts and eliminate all that bothers the decision maker but has no real effect.

As a result, we hope less work will result because prepared information is more targeted and tuned to the decision maker. And probably, in some cases, also a new dimension of humility because we have better acceptance and understanding of the decision maker’s views.