Source: Mark Chaplin, Principal, ISF
21 Dec 2018

If you are sitting at the table during a board meeting of a global enterprise, there is a good chance you are discussing the organisation’s business strategy, financial performance, planned investments and mergers and acquisitions. The agenda is also likely to cover corporate governance, culture and talent, legal and regulatory compliance, and shareholder expectations.

While the board’s agenda focuses on growing the business, improving operational effectiveness and exploring revenue generating opportunities, at some point the topic of risk will arise, often with an emphasis on operational risk.

A major factor in the success of any organisation is the quality of key decisions made about risk, as well as opportunity. To make effective business decisions, business leaders require accurate, balanced and up-to-date information, often relating to business operations, technology, supply chain and environmental matters.

As a board member, at what point do you engage in the conversation about information/cyber risk? What questions should you be asking? And what answers are you ready to receive?

Information/cyber risk remains uncharted territory for many enterprises, who ‘get it’ but have yet to embed these new risk disciplines into their broader approach to managing risk across the enterprise. It is time for the technology and security functions to start providing assurance that information/cyber risk is being managed effectively.

Discussions with senior security professionals in different industry sectors suggest information/cyber risk reporting is ineffective at best, and at worst is non-existent. ISF research highlights the need for board members, executive committee representatives and other business leaders to set clear expectations regarding risk reporting.

How do you know if your CIO and CISO are managing information/cyber risk effectively? Here are five actions that board members and business leaders should take to gain assurance of their information/cyber risk management capability.

  1. Clearly articulate requirements regarding information/cyber risk reporting

Specify the:

  • scope of assurance activities (e.g. enterprise-wide, business unit, project or business operation)
  • main purpose (e.g. to govern more effectively, forecast information risk more efficiently, justify security investment or demonstrate improved protection)
  • expected level of analysis and confidence levels for reporting (e.g. how reliable is the information)
  • significance of using ranges (not point estimates)
  • method of communication (e.g. summary on a page, a multi-page presentation or detailed report)
  • supporting information expected (including any assumptions made and conclusions drawn)
  • frequency of reporting (e.g. real-time, weekly, monthly or quarterly).
  1. Explain the need to present information/cyber risks in business terms

Define and agree meaningful key indicators (such as KRIs, KCIs and KPIs), which provide visibility of information/cyber risk in a business context. Key indicators relating to information/cyber risk should align with broader, operational risks associated with major business priorities, such as:

  • business strategy and performance
  • major business projects/initiatives
  • supply chain and business operations
  • sales and marketing
  • legal, regulatory and contractual compliance.
  1. Emphasise the importance of representing all aspects of the organisation

Agree areas of the business for which they require specific or increased levels of assurance of how information/cyber risk is being managed, such as:

  • critical asset protection (including high-value information assets)
  • basic security hygiene (including access control, patch management, encryption and backups)
  • threat profile (including results of security event management, incident management and threat modelling)
  • business operations, strategic projects/initiatives (particularly those subject to significant investment or identified as high-risk)
  • enterprise resilience (including business continuity, incident response capabilities and crisis management)
  • supply chain (including both upstream and downstream relationships).
  1. Require that risk reporting use a balanced and broad range of sources

Insist that the reporting of information/cyber risk be based on multiple, quality and proven sources of information, to improve the accuracy of risk communication. Risk reporting should leverage:

  • internal sources such as a security operations centre, threat intelligence team and security analysts (e.g. information gathered from investigating information/cyber incidents, near misses and threat events)
  • external sources, including business partners, solution providers, suppliers of services (e.g. threat reports, base rate datasets, prevalence rates in relevant industry sectors).
  1. Challenge risk reports and support mitigation actions

Examine trends and patterns provided in risk reports, clarify forecasts about future information/cyber risks and support recommendations to address identified risks. Support from the board (or equivalent) for information/cyber risk management can include:

  • investing time to better understand the business challenges associated with information/cyber risk
  • sponsoring projects/initiatives that provide a better understanding of the level of information/cyber risk
  • signing off budget to improve information/cyber risk management capabilities (e.g. hire information/cyber risk experts, fund training for existing risk practitioners, acquire proven risk management tools and obtain services from reputable service providers)
  • including information/cyber risk as a formal agenda item (and discussion point) at board and executive committee level.

The board must lead the business in these initiatives, engaging with teams to ensure that the security programme and processes help to build cyber resilience in line with their business objectives.

The ISF provides a range of guidance and best practice for effective risk management such as ‘Information Risk Assessment Methodology 2’, and reporting key indicators and security metrics using ‘Engaged Reporting: Fact and fortitude’.

For the full library of research and tools, visit