Hearing is not the same as Listening

Hearing is not the same as Listening

This is the opening statement in the Executive Summary of the 2023 World Economic Forum Global Cybersecurity Outlook Insight Report [1]. According to the report, the significance of cyber risk has certainly been heard in C-suites and boardrooms, but cyber leaders still struggle to articulate clearly the risk that cyber issues pose to their organizations in a language that their business counterparts fully understand and can act upon. The Open Group FAIR (Factor Analysis of Information Risk) [2], expressing cyber risks in financial terms, should be used by cyber leaders to clearly articulate the risk to business leaders, minimising the need to use technical jargons in their presentations. This expression enables cyber risk to be managed under the Enterprise Risk Management (ERM) process described in NISTIR 8286 [3]. Please join the global FAIR Institute community of 14,000+ cyber risk professionals to take advantage the free resources and share the learnings from the community.

Closing the communication gap

The above observation represents a marked turnaround in the relationship between business leaders and cyber leaders in just a short year since the 2022 Insight Report [4]. The 2022 report shows a profound disconnect between how cyber leaders and business leaders perceive cyber issues. The 2023 report found this gap to be closing, but much work is still needed to mature hearing to listening. Both leader groups must make an effort to truly understand each other, articulate the risk cyber issues pose to their business and translate that into meaningful management and mitigation measures.

One of the observed changes this year is where 56% of security leaders now meet monthly or more often with their board. These structured interactions between cyber and?business leaders are an opportunity to be heard. The report recommends the following step to close these communication gaps:

• Cybersecurity leaders should use less technical jargon when speaking with business leaders
• Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection
• Boards should make themselves accountable for these priorities once they are set

C-suites and boardrooms have heard the significance of cyber risk cyber from their cyber leaders but still fail to listen to the risk that cyber issues pose to their organisations

Cyber as a Business Enabler

The report presented 20 diagrams contrasting the response from the business leaders and cyber leaders on various questions. While there are great alignment between these leader groups, there are also some surprising differences. For example, contrary to common perception, Figure 11 shown most business leaders now see cyber security as a service differentiator and business enabler instead of as mainly a compliance driver. However, 14% of cyber leaders still perceive compliance as a key driver for cyber security controls:

This is a confirmation of the paradigm shift in security culture from compliance to risk based management advocated in many global security standard including ISO 27001, PCI DSS and the Australian Government Information Security Manual.

Explaining return on investment in cybersecurity

Participants in the workshops for the report noted the difficulty of translating investment in cybersecurity into clear returns for the board, with one representative participant saying, “The three things board members are interested in are risk, opportunities and investment in cost. In cybersecurity, we talk about the cost a lot, but we need to better respond to the question, ‘What is the return?’ That is something we struggled with in cybersecurity. How do I know this is a good investment across the myriad of things that I could potentially be invested in? How can we improve at making effective metrics to help boards make better-informed decisions?” Effective metrics are ones that a board can translate directly into informed decisions to drive the business.

The report note business and security leaders’ perspectives on the importance of cyber-risk management are converging. In the 2023 survey, these leaders agreeing that cyber resilience is integrated into their organization’s enterprise risk-management strategies. In addition, most business and cyber leaders also agree that incorporating cyber-resilience governance into their business strategy is one of the most impactful principles when it comes to cyber resilience.

NISTIR 8286 - Integrating cybersecurity and Enterprise Risk Management (ERM)

Many organisations and governments have adopted the NIST Cybersecurity Framework (NIST CSF) [5] to inform their cyber maturity program to improve the cyber resilience. NISTIR 8286 [6] recommends expressing cyberrisk in dollar values to enables this integration and named FAIR as the only recongised Cyber Risk Quantification (CRQ) framework. The integration life cycle is depicted below:

My presentation "NISTIR 8286 Prioritizing Cybersecurity Risk for Enterprise Risk Management" in the AISA RMIA Cyber Week [7] provides an in-depth walk through of this integration process linked to the organisation's risk appetite and tolerance. The presentation deck is available here:

The replay of the presentation is available here:

The latest The Open Group FAIR Risk Analysis (O-RA) standard (released in Nov 2020) [8] includes a mapping to NIST CSF:

Can the real Darren Kane please stand up?

Darren Kane (CSO @ nbn? Australia ) is a notable member of the FAIR Institute. Darren walked through his FAIR journey with Luke Bader in a recent "Meet a Member" interview [9]. Darren is certainly well ahead in helping their business leaders to listen to the cyber risk challenges. He concluded his interview walking through his journey in integrating cybersecurity with Enterpris Risk Management (ERM). Significantly, Darren is responsible for all security matters across the NBN business including physical security (gate and guards with guns) and privacy, in addition to cyber security. In other words, he is responsible for all Enterprise Security Risks.

Darren is a good communicator, an expert in using humour at his own expense in getting an important cyber messages across such as shown in his #Scamsweek2022 training video [10]. As shown in the screen grab below, his impostor was spotted with a typo in his name. Deep fake? Perhaps not needed. ChatGPT generated script? Absolutely unnecessary ??.

Jokes aside, communicating cyberrisk ought not and must not be still as hard as this in 2023:

The global FAIR Institute is here to equip your cyber risk communication challenges. Please reach out and join our community here. Membership is still free for qualified risk professionals:

https://www.fairinstitute.org/get-involved-apply-today

[1] https://www.weforum.org/reports/global-cybersecurity-outlook-2023

[2] https://www.fairinstitute.org/what-is-fair

[3] https://csrc.nist.gov/publications/detail/nistir/8286/final

[4] https://www.weforum.org/reports/global-cybersecurity-outlook-2022

[5] https://www.nist.gov/cyberframework

[6] https://csrc.nist.gov/publications/detail/nistir/8286/final

[7] https://conference.aisa.org.au/risk-cyber-week/agenda

[8] https://pubs.opengroup.org/security/o-ra/

[9] https://www.fairinstitute.org/blog/meet-a-member-darren-kane-cso-at-australias-nbn

[10] https://www.dhirubhai.net/posts/darren-kane-4997ab6_scamsweek2022-scamfit-activity-6995276134422634496-ZaUr