Risk Communication: Bridging the Gap between Risk Professionals and Executives (Panel)




Session Video

About this session

This topic explores the challenges and strategies for effective risk communication between risk professionals and organizational executives. It discusses techniques for translating complex risks into business language, facilitating risk-informed decision-making, and improving risk reporting practices.

Outline:

  • Challenges and Barriers to effective risk communication
  • Techniques for translating complex risks into business language
  • Engaging and educating organizational executives on risk management
  • Enhancing risk reporting practices to facilitate decision making
  • Collaborative approaches for aligning risk communication with strategic goals

Transcript:

Speaker 1 - 00:06 You.

Speaker 2 - 00:08 Want us to start or how does that work?

Speaker 1 - 00:13 Yeah, welcome to this session and over to you.

Speaker 2 - 00:16 Just give a quick introduction the topic and the participants and then take this very important topic. I can say a few words to start just but anybody else can. Yeah, not pushing free. I think the topic is overlapping with the topic of how does cybersecurity talk to management or how does a CISO talk to the executive team. Here is a bit more specific because based on the headline we’re talking about the risk professionals, but in principle talking to executive I would imagine is the executive team or could even be the board, depending on the situation because the board has typically risk responsibility. So it probably is a two level thing. One is the executive side and the other one is the board.

Speaker 2 - 01:18 And to launch a bit as a discussion and to make it a bit kind of black and white where we can paint the gray levels later is what I noticed in my consulting practice is that many CISOs or many senior guys or even risk professionals are typically even the CISOs are very technical in many ways and because most of the problems they have to solve are very technical sometimes they are part of it, sometimes they’re separate from it. Sometimes they report to the CFO or to someone. They are maybe one layer or two layer away from the executive management team. And they are very often, most of them, very technical. And so one of the big challenges is to talk the same language between these two sites.

Speaker 2 - 02:24 One, the executive management does not understand the technical things, the technical guys doesn’t understand the management things. So we have to find a way to talk the same language. And I think generally speaking, the first step is for the cybersecurity or the risk professionals to acquire a bit of management know how. I think especially security costs a lot more these days. We have to behave like any other department in a company having management know how, talking the same language, understanding the way the company is managed independently of technical area is one very big thing. The other thing is clearly education of the executive, maybe a topic by itself. What is practical, what is acceptable on that height depends a bit on the style of the companies, the small company, medium sized company, MNC, what does it mean?

Speaker 2 - 03:32 I think that’s what I would say, just to get the discussion going a bit general, but we can go in the specific aspect.

Speaker 3 - 03:44 I’m happy to just pick up on that. I think you make some very good points there and I completely agree that there is an issue around finding common language. One thing that I would throw out there is that I’ve always felt that one of the issues is that boards, for example, think that cybersecurity is essentially a technology or an It conversation and they don’t identify that as being an area where they have expertise. And when you’re on a board or you are a senior exec, you don’t really like to show your vulnerabilities and lack of knowledge. So particularly when it’s going down a specialist route, then actually that essentially means that they probably don’t contribute as much as they would want to because they don’t want to showcase that lack of knowledge or that vulnerability.

Speaker 3 - 04:36 And I think that part of the issue is that cybersecurity from a board perspective, for example, or an exco perspective, is not an It conversation, it’s not a technology conversation, it’s a risk management conversation. And when you change the chip in a lot of these individuals, where you say to them, maxine, it’s a risk management conversation, and you would happily contribute to risk management in pretty much every area of the business, regardless. Whether you have expertise or not, then apply the same level of know how and general management skill set, et cetera, that you would have in any risk management conversation and kind of go from there. And like a very practical example for me is you want to protect the crown jewels of your organization from a cybersecurity perspective.

Speaker 3 - 05:22 Everybody wants that now the cybersecurity team or the security team will be able to do that, but they’re not the ones who should decide what the crown jewels are. That really is a decision for the board or for XCO. So that is a good example for me where you have risk management as a sort of overlay and then you figure out what you can contribute towards that conversation and then you have different parts playing a role.

Speaker 2 - 05:44 I think one item, and I’m sorry.

Speaker 3 - 05:49 That was the end of my mind.

Speaker 2 - 05:50 I think some of you and I’m not sure which industries you are working, so it may be a little bit different. Some of you who are at least in EU will be who are for example, in the financial industry will fall under Dora regulation soon. Normally that’s end of 2024, beginning 2025. And Dora specifies that the supervisor, the management body, which is basically both the executive team and the board, have to have the proper know how. And I was facing even regulators a year back which in their audits brought up the point that the management needs to have the know how, needs to be involved, needs to take the time. And that’s one thing. So I think the topic of it’s no longer possible, at least for senior management to get away.

Speaker 2 - 06:44 It’s now kind of black and white in some ways and some of them because of that or the future or the present, have chosen to get also advisors. The board can have an advisor because it’s a bit independent on cybersecurity to help it in some ways. That’s one thing. The second thing is one of the problem is that security guys, sometimes they report to CIO or not. Sometimes even the CIO is not part of the executive team. So there is a number of topics, not only cybersecurity topics, which are not necessarily well understood, even at executive team level, depending on the company to throw more oil to the.

Speaker 4 - 07:34 So I would like to add a few things on this. So first of all, my name is Matric, I’m a technical architect. I’m working for one of the largest MSP providers in Oxford, in the UK. And that’s what our job is on a daily basis, just to speak to obviously executives and the right people within the industry. And as Guill and Danny said, I think it’s important to us to make sure that we’re speaking to those executives, to the people who are actually making the decision, because security, data protection and all of those things that we’re talking about, they actually start from the top. So obviously, people that we’re speaking to, they need to decide whether they want to go for the changes within their business and that’s where it starts from.

Speaker 4 - 08:24 So I think it’s quite important, as Danny, as you mentioned, speaking to the right people at the top of the organization because we know that it won’t start from down and then obviously everything starts from the top and the main decisions are being made at the top. So this is why this is so important to speak to someone who’s actually making those decisions. Plus, obviously, as we all know, and you can probably all agree that we live in a crazy world at the moment, where data needs to be super protected. Because with all of those SaaS solutions and everything, we actually keep the data everywhere and we need to have the right solutions to make sure that the data is protected, right?

Speaker 4 - 09:07 I think the main point is just to make sure that we’re speaking to someone at the top of the chain who is making those decisions.

Speaker 1 - 09:20 I think sometimes there’s a few things I think sometimes overlooked when we’re talking about, there’s a lot of talking about CISO has to be technical. But at the same time, I think one thing that’s overlooked more often than not is the soft skills. Because when you land yourself in a CISO position, the first thing and foremost you should get to know your executive team. So you have to align your communication style, whether someone’s technical, whether someone’s managerial, how do you deliver your risk communication across various parts of the C suite? So you need to know how you can present stuff that they will understand, align those communication lines, align their knowledge and their perspectives. The first thing I think, when you get to meet them, ask what’s keeping them up at night, what kind of risks are in their particular area.

Speaker 1 - 10:17 Because when you get the buy in and you can deliver value to executives, then you can build those communication lines and actually get something done.

Speaker 2 - 10:25 I think what’s happening also is that some CSOs and risk professionals, sometimes it’s not only the same common language and sort of make it clear, but there are other things which are lacking. The senior guy, the executive, may ask you, so where’s your security strategy? Do you have a document explaining where you want to go? Do you have a roadmap? Do you have any KPIs? Do you have metrics? We can see every monthly update on the risks. How are the metrics and the KPI you’re doing and where you’re going in the future? I think it’s a kind of a mix of things which are typical for a management discussion. There’s nothing unique for security, but this is what they would ask anybody who would bring up something of interest.

Speaker 2 - 11:18 In some ways, I think these instruments or these elements, we must have to fit in the management, let’s say logic in something.

Speaker 4 - 11:32 That’s why actually.

Speaker 5 - 11:36 Well, I totally in agreement with all that have been said so far. I mean, based on my experience, I mean, working with the executives from a governance, a GRC perspective. So based on the challenges that I’ve actually encountered dealing with the powers that be within this organization as it relates to risk communication, I have actually been able to develop a strategic approach to actually dealing with this challenge based on the fact that, as you have rightly said, the executives have a particular mindset they think a certain way. So in order to deal with this, I normally approach this from a more strategic point of view. And I’ve actually developed a particular, I would say maybe a system that I normally use to deal with this sort of a situation. Normally, I would, for example, ask I need to first understand how do executives think?

Speaker 5 - 12:33 What is it that they are thinking about in their boardroom? How do they actually process? What are they communicating? What are the conversations that they have within these boardroom conversations? And then I need to understand, for example, how it is that the business generates revenue. I mean, the bottom line, what is it that’s actually contributing most to the organization, and in terms of what perspective do they have on risk? So with that alignment, with that understanding, then I’m able to align what it is that I’m communicating with their overall business activities within that organization. So that is the way that I’ve actually been able to proactively or positively been able to work with the executives to get them along, as you say, in terms of buying and understanding better from a cybersecurity perspective, risk perspective.

Speaker 3 - 13:32 And can I just building on that, based on that experience, do you feel that you add as much value to them as they add value to you? Is it a real 50 52 way or is it more you’re adding more value all the other way around? How would you see it?

Speaker 5 - 13:51 Well, I would say depending well, based on the environments that I’ve actually been in, I have actually worked along.

Speaker 4 - 13:59 It depends.

Speaker 5 - 14:01 You have people that are really quite receptive. You have those that are like they could care less as to what I mean, at the end of the day, it’s all about they making generating revenue. But I think it all depends. Based on my experience, it varies. At times it’s a 50, at times it’s more of maybe a 60 30. So that’s where the challenge is. I have to bridge that gap to create that alignment, to ensure that they’re actually achieving. We’re all on the same wavelength in terms of meeting business objectives.

Speaker 2 - 14:30 Yeah, I think also what you need is not all the executives. There may be, of course, the CEO, the managing director, or the board, the chairman of the board, and so on. Of course there’s a collection of individuals. All these individuals have different roles and their risk appetite is actually different and what they want in life is very different. So it’s also you have to understand a bit, if you can and you said talking to them also helps to understand the politics going on. Maybe for one, you are one who is saving his job because to avoid that, we have a breach. For the other one, you are basically a cost factor which has to be minimized. The other 1 may think that you could possibly disrupt the processes of the company or something.

Speaker 2 - 15:20 I think using any opportunity to expose yourself, to work with them, to understand them better, to find the right angle and the right not only language but also political angle is really important. I think that’s the same amongst themselves for other topics. It’s not unique to cybersecurity. You have to navigate also but sorry.

Speaker 3 - 15:49 Just briefly, I think the issue there though, is that’s when you’ve got a problem, right, when you’re working with a board or an exco that has an individualistic approach to what they’re hoping cybersecurity is going to be. And I think ideally, just based on what we have heard so far, the whole point is that you have to work with the board to educate them and create that 50 relationship to make sure that there’s only one mission and then everybody’s working to the same mission. Because I think what you just said is so true. If you’re a cost concern for one and you’re a savior for another, then how are you going to be able to bring everybody together? But if you have one mission that embodies everybody, then you’ve got something you can work.

Speaker 4 - 16:31 I think if I could elaborate on this one also, I like what actually Marius said once. We need to find that simple language first to speak to someone, because obviously the executives within the companies, they may not be technical. I mean, they don’t need to be technical and we just need to find the language essentially to create the documents. I mean, one of the techniques that we’re using and the company that I work for is we write those documents like strategies for the companies. And this is a nontechnical language first just to approach that conversation with those executives. And then obviously later on we’ll explain to know in technical matters why this is important and things like that.

Speaker 4 - 17:13 But it’s really important to at least at the beginning, if you know that you’re speaking, as Marius said, to someone who is not technical, just to explain know why this is important and just the simplest language as possibly can be so they can understand the risks.

Speaker 1 - 17:29 Yeah, I think one thing that sometimes is missing when we start communicating risk to the board the great way, and when you obviously build on those soft skills, you become a storyteller because obviously most of the executives, all they care about is the bottom line. So how can you relate your risk mitigation tactics that it delivers to the business bottom line? Because sometimes as security professionals, tend to talk about specific critical risks, but that does not mean anything to them unless it relates to bottom line and business goals and business direction. So I think that’s key in how you can create and craft your storytelling into that it delivers to the business bottom line.

Speaker 2 - 18:17 Adding to that, in the past I came across many people who got the attention of the executives by fear, if we don’t do this, we’re going to die. That I think, is okay. You can use that once or twice, but you cannot use that as your typical model. You have to go beyond that. I think understanding where you come in, where this particular risk impacts production, where it impacts customer satisfaction, where it impacts financial things, talking that language over time is the better way. The fear works a little bit at the beginning. But I think also what I see is that most, and that may help in this discussion, most executives actually, or at least most senior guys in the executives, they are aware that things go wrong.

Speaker 2 - 19:09 If things go wrong, they are going to be in the front line, they’re going to be visible. Yeah. So I think they are nervous these days. I think that was not the case two or three years ago. I think these days they are aware that it is their job or they are involved in either avoidance and also solving the problem and so on. And I think what they have in their mind is are we doing the right thing in this company? That’s what they have in their mind, or are we investing enough? And so on. Have we understood what’s going on? They may not be tested technical specialists, but all the executives typically are very smart guys. They may not be deep technical, but they certainly can ask the right questions. Up to us to be able to sort of feed them.

Speaker 5 - 20:04 I totally agree with you there. I’m actually seeing a shift where as you mentioned rightly, that the executives are no longer archaic in terms of what they think. They are no more abreast with cybersecurity happenings. They see the various breaches incidents, the impact to the organization. So as you have rightly said, they are thinking about RVC, what can we do? So I normally take the advantage of that to build a relationship. That’s one of my things that I normally do. To try to build a strong relationship as best as possible wherever I can to ensure that we are actually communicating.

Speaker 5 - 20:46 So once we have that trust, we have that relationship where possible, then it’s easier for me to actually communicate and bring the importance of ensuring that whatever it is that we are doing from a cybersecurity perspective is actually in the interest of the organization to ensure that they’re operating securely as it relates to risk mitigation.

Speaker 1 - 21:16 I’m going to ask a question guys, and I wanted to see what you guys think because obviously talking about risk, the problem we tend to have in cybersecurity industry is that we are usually in a firefighting mode. We discover risks, we build mitigation practices for how we’re going to address the risk and then we move on and then we discover new risks. But I think the problem that normally happens in the industry is that we never go deep enough to understand why specific risks are happening because if we go deeper and build those communication lines and address potentially business processes, business practices to prevent those risks from happening again, we probably deliver better value to the business. So what’s your guys thoughts on that?

Speaker 2 - 22:07 I would think that my experience is 50% of the risks we see are coming from bad guys who are creative for the new way to do something bad. Yeah. 50% of the risks are typically created by the company internally, based on what you said, because they had a quick way to organically develop It applications in the past because they wanted to have a customer satisfaction, they want quick results. And so there were a few shortcuts or someone is easy going on third parties because that’s a way to do cost down. So let’s do quickly but in principle by not having the proper process or at least the minimum proper process or minimum due diligence, these add to the risk.

Speaker 2 - 22:53 But they are risks which are produced by the company itself and I think highlighting those and say well, these ones we control, the other ones we have to work around the bad guys new techniques, we’re not in the driving seat, but we certainly can try to protect ourselves. I would say 50, I would say. I’m not sure that’s just a ballpark.

Speaker 3 - 23:20 But I think it’s a really good point actually because a lot of this as you said earlier, is about the risk when it happens. But a lot of work can go into defining risks. And if you take the time and if boards and executive committees working with cybersecurity professionals take the time to, I don’t know, commission an audit of their digital estates across all of their hardware, software, legacy systems, data, et cetera, there’s a lot of work. But the more you do in terms of prep, the better the risk conversation is going to be down the line when something happens. So I think a lot of this is if you’re willing to invest jointly working together security professionals with ESCOs on actually defining risk, then you’ll have a far greater chance of being able to deal with it when it emerges later on.

Speaker 1 - 24:07 Yeah, because I’m just kind of alluded to the fact that if you look at the statistics, every year we spend more and more on cybersecurity and we get more and more breaches. So just take, for example, if you take an application security program, normally what happens is we add more tools, we add more people just to try and solve all the vulnerabilities that we have, but where the actual problem is our coding practices. So if we actually improved our quality of the code and the quality of the coding practices, we wouldn’t need to throw money at the tools, at vulnerability discoveries and patching and all of that. So that’s where I’m coming from in that sense.

Speaker 2 - 24:53 I think also what makes it a bit difficult and it’s basically a segregation of duty things, sometimes in these meetings a Security Responsible Risk Manager, or CISO, cannot always say exactly what he’s thinking. That is one problem because if he does say that basically shoots the CIO with the example, you know, it’s the same guy he has to work tomorrow with. And so it’s about finding ways to, on the one side speak out and point the finger, but on the other hand to find, let’s say, quote unquote, a diplomatic way to not solve one problem and make another one tomorrow out of it. So it’s a bit politics, but you have to navigate in some ways. Unfortunately, in some cases, that psychological border has been already overcome.

Speaker 1 - 25:53 I think that goes to the fact that I’ve been discussing a lot lately as well as this. There are companies who need to understand the reasons for hiring a CISO. I’ve been discussing a lot of job descriptions where the top line of the job description of a CISO is I need ISO 27,001, I need SoC two, type two, I need PCI, DSS, and that’s all we need. Or because another company told us, oh, we should have a CISO, but we haven’t thought or we haven’t thought about supporting lines. And that’s why there’s many discussions about why CISO should not report to the CIO because there shouldn’t be no politics games. You should be able to tell exactly to the executives what’s wrong in the business. And if you need to play politics games, then it’s wrongly set up and it’s wrongly supported security function.

Speaker 2 - 26:45 I totally agree. But it’s a bit company by company dependent. Some things you change over time. It’s not you have a given situation, I think, when you come in, but it’s not ideal. And I agree. That’s why, in my experience, also separating security from it, from the CIO is one important case because half of the problems come from it. Typically, then, if they’re not reporting to CIO, to whom do they report? Do they report to the CFO or does he report to a COO or a CTO? Do we have at least an exceptional seat in the executive meetings or not? One has to also fight for that. So you have to fight in some sense or evolve in some sense to get the seat at the table and hopefully be there reasonably. You should be able to reasonably speak your mind.

Speaker 2 - 27:43 It will never be 100%, but I think at least be able to get the message in clear.

Speaker 4 - 27:51 Yeah, what actually Mario said it’s quite interesting. He actually said, more tools and more practices we’re using. It doesn’t really matter. And I’ve been in those conversations with executives. Whether they said to me or to the team that I’m working with, it doesn’t matter. We’re not going to change this because obviously something will happen. But that’s not the right conversation. I mean, you need to make sure that you’re putting those tools in place. Again, as I mentioned previously, we live in a crazy world where obviously the bad guys will try to get to the data within a company. So, yeah, we just need to make sure that those conversations are proper conversations with the businesses, and the businesses are going for the right solutions.

Speaker 2 - 28:40 Unfortunately, you come to the conclusion, and it’s not a good one, that an occasional breach is helpful because it resets many of the bad practices in some ways. Obviously, nobody wants the bad things to happen, but it makes this alignment a bit faster. If nothing has ever happened, then anybody can see anything forever.

Speaker 4 - 29:10 I think the best sometimes what we can do is just to make sure that obviously it’s a harder job for the bad actors to essentially steal the data.

Speaker 1 - 29:23 Yeah, it’s just about as well. It’s a one piece about governance as well. I’ve been talking with various executives as well. Sometimes it’s funnily eluded as Chief Information Scapegoat Officer instead of Chief Information Security Officer, because if you are highlighting things and especially bad practices and specific risks in your organization, how do you document that? How do you get exceptions? How do you get acceptance of the risk? Because you have to make sure that this is documented because you obviously done your job. Whether executives accept the risk or whether they decide to mitigate, that’s up to them. But how do you document that practice and making sure that it’s obviously all evidenced? That’s another very important part of the job.

Speaker 5 - 30:11 I totally agree with what you have actually said there. Well I think one of the greatest challenge as it relates to based on what I’ve actually experienced so far in all of this in terms of the communication is actually having to deal with the existing organizational culture and at times having to find various practices to break this culture to actually make sense, getting a feedback. Okay, so having that proper governance structure in place actually mean makes a difference as Marius is actually alluded to just a while ago.

Speaker 1 - 30:58 Yeah, I think culture is very important. As know I’ve talked to the executives know you can have a nice poster in the kitchen that says we are a collaborative company. But if you are incentivizing only say one person and the best person in the team, you’re not going to get collaboration because only the best one is going to win. So why would I collaborate with someone else? So it’s always a top down approach. So how do you create a collaborative culture? How do you involve everyone? And I think that’s what we kind of alluded as well. So yes, scare tactics and scare mongering works once or twice, but third time you’re probably no longer invited to the table. That’s why it’s been known security to be as a no sort of department.

Speaker 1 - 31:45 And actually I said to my team the other day, I said when did the last time we said no to the business? And nobody could remember. Because you can’t do that because the more you say no, the less you are listened to. So how do we say yes, but can we do this with these specific security requirements in place and instead of using a stick, using a carrot because everyone extension, essentially everyone in your business is an extension of security team. They will be able to help and highlight specific risks, specific malpractices, if they are listened to, supported and welcome to highlight things.

Speaker 3 - 32:27 Yeah, I think that’s absolutely right. I think on the culture also is what we I’m sure we’ll all advocate, but celebrating successes and celebrating just good instances where you never want to be in a culture where people feel like they can’t put their hand up in an organization because they might have identified a potential breach or whatever. It might, you know, just anything that involves celebrating somebody making the right sort of decision or judgment or whatever it might be. I think top down and the inverse has got to be the way forward. So yeah, I agree, culture is the very beginning of it all.

Speaker 2 - 33:04 I think also giving certain problems you cannot solve in one day or one month. It will take one year, two years, three years. So you have to a little bit announce a color. Here is short term things. Here’s medium term things. So you become predictable in some sense. It’s not this will cost little money, this will cost more money. And so forth. I think that’s okay. It’s what everybody would do in a company and we have to do that too. Certain problems cannot be solved easily. I mean, obviously you have a burning thing, you solve it. I’m not saying that. The second thing is you have to come to a point where your opinion is trusted because every day you have another problem. You cannot in a day by day explain in detail. Detail.

Speaker 2 - 33:49 So at some point you have to come to the situation where your opinion and your advice is trusted because time is running. Yeah. And you have to do things in the ground. You need to be able be in a situation where people take they can ask a few questions, but in general they would trust your advice in some ways knowing that you are not unrealistic or unreasonable in what you ask. I think that is also a point you have to reach so that things move on because you can solve one problem today and be killed tomorrow. So you have to make sure that things move on. Showing the direction over time your opinion is trusted after a while, maybe at the beginning is a bit harder.

Speaker 2 - 34:38 Make sure that you solve day by day problems because if you say things and tomorrow something stupid happens somewhere else. Your trustworthy is affected in some ways.

Speaker 4 - 34:56 And also I think it’s really important to segregate the issues within the businesses and just sort of highlight which issues are more urgent and which ones need to be remediated much faster than the others. And I think, Maris, you’ve mentioned that obviously how do we track those changes and things like this when we have those conversations with people? And I think, again, from my experience, we keep the documentation. So for example, if we create a document for the businesses, this document may be for another 18 months or 20 months over almost a two year going forward the roadmap. And then obviously we mark the urgencies of changing the segmented issues.

Speaker 4 - 35:49 And then again, if we have a conversation with that executives or with a company in next two years, something hasn’t been done, but again, something has happened within that segment, then obviously that’s the issue. But at least we’ve mentioned that in the past. And I think that’s how the conversation should also be sort of approached as well, just to segment those issues, making sure which ones are more important than the other. And again, every company is different. That’s why it’s important to speak to someone who knows the culture within a company, who know how the people work within that company. And again, it’s important also that the businesses are not afraid, that the individuals are not afraid to say that something has happened within a business.

Speaker 4 - 36:40 Because, Danny, as you said, you’ve been working with a couple of companies that someone was scared to raise their hand and say, okay, something has happened because they’ve been afraid that they may be punished for whatever happened. But yeah, I think it’s important to segmented those and making sure which ones are more urgent than the others and just approach it this way.

Speaker 1 - 37:09 I think sometimes as well talking about risk, I think the one thing that sometimes is really missing is we get to the fact of addressing risk at very local sort of level. And sometimes you need to look at macro and context because normally nowadays geni is obviously a different conversation but obviously we are getting more tools and more data points where we can make more accurate decisions about risk, about the context, about business, what’s happening in macroeconomic level. So hopefully with the time going we can make better decisions moving forward to understand the context in where the business is operating, what are specific risks to that business within their own environment, but also with a bigger sort of economic scale on what’s happening.

Speaker 2 - 38:01 I think one thing I can recommend in general because in my case I was facing in the past, I was facing the management, the board, but also I was facing many different business units which had also very a lot of independence. It’s not like only just the top, but also horizontally you can see I think one thing which always helped is that and it was an investment decision is to invest in analytics. Yeah, I was able to invest a percentage of my budget to build analytics again, I could show numbers to everybody, numbers per month, numbers evolution, numbers per business unit, who is doing better, you can say okay, this one is doing very bad, this one is doing well. It’s very powerful to compare in the same company, two different behaviors but the numbers don’t come easily.

Speaker 2 - 38:52 You have to have building analytics system. It takes one year, two years, three year. You have to have a bit of an idea where you go because the data is all over the place. You have to measure it, you have to build it, you have to put metal layers above it so that you can represent data. But it is one of the guaranteed, I would say 100% or 99% sure way to get the return of investment in terms of moving away from judgments only and substantiating things. And the numbers are very powerful, especially when you compare behaviors between divisions because someone says well, what you ask is unreasonable, but then you show the numbers well, this one did it already and you are not doing it inside the company.

Speaker 2 - 39:33 Comparisons is very powerful versus just saying well, something is wrong if you can show someone has already solved the problem and here’s the numbers and someone has not and here’s the numbers. This takes away a lot of the problematic things especially when you have many business units horizontally.

Speaker 1 - 39:52 Yeah, and I think that feeds into risk monitoring because sometimes I witnessed facts where we have a specific, say, risk, we developed a mitigation plan for that risk. We mitigated risk to an acceptable level. Yes, we did that at this point in time. But sometimes organizations or some specific risk professionals tend to, when you mitigate the risk on acceptable level, that risk is closed. But if you don’t have an adequate monitoring, because this is a point in time exercise, how do you know what’s the risk output or the risk measurement within next 3612 months, 18 months, that risk might completely change, and that mitigation might not be adequate anymore in a time frame. So the monitoring of the risk and constant evaluation is very important.

Speaker 1 - 40:42 Some regulations ask you to do a risk assessment every twelve months, but you have to gauge in your risk appetite where specific risks might need to be measured and assessed more often than every twelve months.

Speaker 4 - 40:55 Yeah, 100% agree with this, because again, the plan for the businesses at this point may not be the same within next twelve months. So constant conversation with the businesses, with executives, this is quite important as well. So you need as a business to schedule those conversations every sort of six to twelve months. Because again, what you said, and I completely agree with this, the plan of action for today may not be adequate within next twelve months, because again, the organization grow, the cybersecurity may change, the threats may change, the system obviously is going to be outdated within that time. There are many factors that has an impact on that. So scheduling those conversations within the right people, within a business, it’s 100% crucial.

Speaker 2 - 41:53 I had two examples. I had one case where someone, one managing director took one new risk every year as a focus for you, and he wanted reporting, how is everybody doing on that risk? And we of course have to still take care of the previous year things. But it was instead of going all directions, his way of thinking was, well, we have to take an objective every year, one single or two objectives, and we solve that one and we add it to what we solved the years before. And this way, instead of having to talk 25 different things or 25 different risks, there was a focus on getting a deeper understanding per risk for one year, and then this was hopefully understood and we could move on to the next risk the next year.

Speaker 2 - 42:41 That was one way, which made it very clear, and he wanted details per business unit, per department, how were doing on that risk. It was one way to move forward. I’m not saying it’s the only way. Sometimes you have no choice. But if you have the choice, having focus points for management, say, this year we focus on this, next year we focus on that. Of course, you choose the important ones in some ways where you and we would get management support to solve that risk more than any other year or any other way. That’s one management technique if you want to move on.

Speaker 3 - 43:18 I think I actually quite like that. I like it’s novel. It’s interesting. Different way of looking at it. I do think though, that it’s important that the cyber risks are very much part and parcel of the overall red amber green risk management framework that any exco or board has, because the likelihood is that the cyber risks are going to be right up there. And I think then executives suddenly realize that out of six top risks, two or three are cyber related. And it really elevates the importance of the conversation as a result when you’re able to compare the risk within the rest of the risks that the organization faces and not see it as a separate one. So I think bringing it, as I say, as part of the overall risk management framework is really important.

Speaker 1 - 44:10 Yeah, because I think security, as we kind of all know, security can’t happen in a silo. And I think sometimes, as we discussed previously, it’s often seen as It issue. But when you start expanding security into any department, there is specific security system security risks that everyone faces, whether it’s HR, whether it’s business development. And I think we as security professionals has a way to expand and go beyond it. And I’ve always been a proponent, for example, how do we deliver value? Because I’ve been discussing as well in my previous post, normally how do created narratives where security is not a cost center, security is a business enabler.

Speaker 1 - 44:58 So how can we I created Slides as well for my business development guys about how do we do security well for our proposal customers, that it’s safe for their customers to hold data with us, how do we deliver business value for our potential clients? So expanding that security sort of vision across various departments can really transcend how you deliver value as well as address risks.

Speaker 3 - 45:27 I think that is such a good point, Marius. I mean, the enabling that you just talked about, because I’m sure we’ve all seen a whole bunch of presentations where executive teams say, okay, item one, digital strategy. Item two, cybersecurity strategy. And you’re like, no, cybersecurity is the enabling part of your digital strategy. Don’t separate it. And I think that sort of positive good. Cybersecurity means growth, means greater revenue, means greater opportunity, et cetera. That’s what it’s all about. As opposed to, let’s have a separate session to talk about how we protect stuff. So I completely agree with you, and.

Speaker 1 - 46:04 I think that’s why I lately been focusing because we keep talking about security. But if we can transcend security into talking about as quality function, whether it’s code, whether it’s our It infrastructure, whether it’s protecting our brand reputation, the more we build quality with security in mind, the better we deliver business value.

Speaker 2 - 46:26 I think you can position security under the logo enable business in an unsecure world. If you take that as your headline, it makes the discussion a little bit easier. But it is true that depending on the business and the business challenges, someone may be willing to take a hit somewhere if that makes the business move faster. A security incident doesn’t cost necessarily 100 million, but it could. But maybe an incident cost us 40,000 or 50,000. Someone say well, okay, losing money is never good, but it’s something we can accept because if we would find a way around it would make things more inefficient, we may lose more. So having a good discussion like that gives us a feeling, okay, what the priorities are. I had also cases where certain top executives had go and no go things.

Speaker 2 - 47:28 They were very sensitive to certain topics and zero tolerance for certain things and they would be very much willing to have money discussion on others. So I think that is also important that it’s finding out, because it gives you also priorities. Even for CISO, it avoids that you go run in all directions. But the other one is when you look at for example, CRM systems. I had cases like when we investigated, we found out that there’s let’s say a million records in a CRM system. Yeah, only 20% get emailing. The other ones are just registered. Registered. Nobody does everything. So we said please, if you do not do anything with the 80%, please take some offline. We only should protect things which have economic value, which is obviously only the 20%. That is a change as totally as a direct discussion.

Speaker 2 - 48:25 Of course they are a bit shocked why we collect so much and we use a little okay, that discussion has to be done, but at least there is a logic to it and I.

Speaker 1 - 48:36 Think sometimes some other things as well. What we alluded in the beginning is you need to understand the business because the risk mitigation the risk framework, the risk appetite will changes depends on your organization. So if you walk into a bank, they’re obviously going to be very risk aware and they’re obviously going to risk a lot less. Where if you walk into a startup and you’re trying to grab as much of their market share as possible because you just created the new product, you’re going to create more risks and you’re going to do more risk because you want to grow fast and you want to grab as much of the market. When you reach a certain maturity level, your risk appetite will change. So you need to be aware of business context and where you are in that maturity sort of scale.

Speaker 2 - 49:19 I think in some cases when you study your risk equation, you have to solve it, whatever it is. Maybe when the organization is bigger, but sometimes when the organization is smaller SMEs or others smaller, you have to first simplify the risk equation before you solve it. Otherwise they cannot afford it, they cannot sustain it. In some sense, if you have 25 images on your endpoints and you have to do vulnerability management and patching, you’re going to kill yourself possibly unless you’re helped in some way. So sometimes you have to find a way to simplify the equation first and then solve it and not apply big money to solve the wrong problem. I think that also gives the executive feeling that you are thinking about common sense and practical, economical ways to solve things.

Speaker 5 - 50:16 Sure. And just to add to that important point is one of the things I normally do is always to identify, going back to the basics, how does this organization, how does this business actually generates revenue? What are my business assets? Not everything within the organization generates revenue or contributes to that overall revenue generation. So I always have my business assets. What are the risks to those business assets? What are the cyber risks to the business? What are the likelihood that risk can actually affect the business? What’s the associated cost if that risk actually affects the business and what’s the cost to fix it? So I always operate within that line in terms of simplifying my risk communication. Always keep it as simple as best as possible for the executives to actually understand.

Speaker 5 - 51:15 So whatever it is, always align, return on investment, always go back to revenue generation.

Speaker 2 - 51:26 In another way. I have seen some people who have been thinking, okay, I need to reflex. I have $100,000 or euro in my pocket and I will solve this problem by using 100,000 or 10,000. And because you’re given a budget, you have to stay within it and you have to solve it. And there is sometimes the wrong reflex also that instead of going to the right people and says, I need a million to solve this problem because this is a very big problem, this sometimes is not done. So we’re kind of educated or trained or conditioned and it’s also not only me and the CISO, but even the layers below may sing in this way or they say, okay, I have to manage within that level.

Speaker 2 - 52:18 So sometimes the risks don’t come up properly also this way because some says, well, I know it’s a risk, but okay, I’m going to use my $10,000 to solve it as much as I can rather than bringing it up and have the CISO ask a million dollar to fix it or something like that. I think there’s another big problem I see in this risk communication.

Speaker 1 - 52:47 I think we go a couple of minutes left. So any final thoughts from you guys?

Speaker 3 - 52:57 I think communication, culture and enablement are some of the words that really stick out for me over the last hour.

Speaker 1 - 53:10 Anyone else? Pate, final words.

Speaker 4 - 53:15 I agree with Danny says now those three key points and obviously speaking to the right people in the organization, that’s the key point as well, the ones that understand the culture, how the organization works, and just to sort of those risks.

Speaker 2 - 53:37 I was living in a Japanese company, and in a Japanese company, just difference, maybe of an American company, you would not go to a meeting to have a debate. The discussions happen individually before the meeting. Yeah, because it’s not possible to have agreement on with 1012 people, possibly. But it’s possible to discuss in depth, frankly, with individual members beforehand and to try to move to reasonable consensus when the formal meeting is happening. Which is more formal or ceremony in some sense. That’s a Japanese way of doing it. It’s not you don’t expose anybody publicly, you don’t attack someone publicly.

Speaker 2 - 54:26 But you spend a lot of time in the preparation of the meeting with different individuals to get their point of view, to explain your point of view, which you can do typically in a much more frank way beforehand, so that you can crystallize a proposal where you get a majority support at the end. But that’s the culture of a Japanese company versus maybe others.

Speaker 1 - 54:51 Yeah, and I would say it’s very important as well. We discussed get to the bottom of the problem, so I don’t remember which book it was, but it said, ask five why questions to get to the bottom and the root cause of why things are happening. Because we need to move away from firefighting into being proactive, risk addressing function that can deliver business value. And what we just discussed being a business enabler. So I think that’s very important.

Speaker 5 - 55:28 But I would say one of the very important points coming from this is actually spending that time to understand what is that the executives actually think, as Marius rightly mentioned, what actually keeps them up, what is that they’re thinking about what’s of importance to them as it relates to an organization overall productivity. So, yeah, those are the key points that I think I have actually gained from skin.

Speaker 1 - 56:04 Brilliant. I think that’s pretty much it. Thank you, guys.

Speaker 2 - 56:07 Thank you so much.