Cyber risk reporting procedures are far from established. A considerable number of CISOs don’t even report directly to the CEO but the CIO. In many cases cyber risk reporting doesn’t rely on robust and dependable data, and rather frequently, it becomes a tick-the-box exercise without bringing meaningful, actionable results.
However, we also need a step change in the methodology used by CISOs to report risk. Rather than using a vague language communicating their intuition and what their gut feeling tells them, information security professionals need to make risk quantifiable and talk about the risks different cyber security scenarios involve in terms of business outcomes. They need to pitch information security investments explaining what the benefits and opportunity costs are including both inherent and residual risk.
But whether information security professionals succeed in getting their C-suites or Boards’ buy-in depends not only on the quality of the data presented but also on how it’s presented. An executive- friendly visualisation of risk data is more likely to create a powerful narrative and capture the imagination of the Board.
To make cyber risk report more compelling, traffic lights will not suffice any more. What CISOs and businesses need is establishing the KPIs that their performance can be assessed against, and which can help communicate their goals to non-technical staff too.
It also falls on CISOs to write mandatory and internal reports post-incident, as well as provide the Board with an explanation in layman’s terms regarding what led to a data breach or a cyber-attack and whether it could have been prevented with better triaging or technology.
In this session of the Teiss virtual roundtable we are going to explore the benefits of different reporting frameworks and methodologies, as well as the metrics, tools and language that can enhance the effectiveness of board risk reporting.
The questions we will explore
During the meeting we will focus on questions such as:
- How mature is your cyber risk reporting?
- What kind of risk frameworks and methodologies has your business adopted?
- What makes a good report? How are the board’s and the regulators’ requirements different?
- What impedes clear communication with the board? How can you overcome these hurdles?
- What KPIs does your organisation use to measure success?
Who is invited?
This breakfast meeting is designed for senior decision makers within highly regulated industries who wish to discuss various aspects of cyber risk reporting. Delegates will be information security decision makers of large (4,000+ employees) companies in the highly regulated space.
Be one of 8 senior professionals around our virtual table. For any enquiries, please contact Mergim on 0208 349 6458 or email email@example.com.
The breakfast briefing is brought to you by Tanium & PWC and is only for senior executives as mentioned above. Registrations of junior professionals, consultants, solution providers or other sellers to this market won’t be accepted. To be eligible you must be employed by a corporate legal entity such as a private company: if you are a sole trader or in a partnership other than a legally incorporated partnership, we will be unable to offer you a place.