The Story is What Matters
Vertikala/Stocksy United

The Story is What Matters

Several scholarly sources have stressed that better communication with the board is needed (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019); however, the articles fall short of prescriptive direction on executing and delivering compelling communications, and the problems within cybersecurity continue.

The need to speak the language of business is called upon in the literature (Blum, 2020; Karanja & Rosso, 2017; Rowe, 1998; Wright, 2021). The specifics of the language of business could not be agreed upon other than it is not singularly defined. The best approach to the language of business is simply terms that matter to the business. For example, if money is the most important, then finance or accounting is the language of business. However, if patient safety is most important, then patient safety is the language of the business (Wright, 2021).?

The lack of specificity of business language has led to using the model proposed by Marchewka (2018; as cited in Fitzgerald, 2018) as a presentation format using six categories for aggregating the scores. These six areas addressed the three main areas of cybersecurity, confidentiality, integrity, and availability (Harris & Maymi, 2021), and three business categories, people, reputation, and finance.

For years I have advocated using aggregated risk metrics when telling the cybersecurity story to executives and board members. This point of view was primarily driven by information gathered from other professionals and colleagues in the field. The advocacy for aggregated metrics was also driven by peers stating that their boards had asked for single scores to reflect the performance of the cybersecurity program.?

However, risk perception is not changed based solely on the presentation tool of the risk metrics, aggregated or tactical. Rather, risk perception remains the same with both tools, meaning both could deliver the same message depending on how the audience prefers to hear that message.?The attribution of the delivery mechanism to the risk perception would be categorized as a causal fallacy (Vleet, 2012).

Improving executive understanding of cybersecurity risks continues to remain a need. Part of improving the understanding of risks is to close the information asymmetry gap and reduce the affective response (Garcia Perez et al., 2018; Wu et al., 2019). The message, reasoning, or business circumstances behind the metrics, rather than the presentation format, could help drive the cybersecurity risk message.

Improving trust may be one method to achieve the goals of reducing information asymmetry and reducing affective response.?Having specific conversations to discover the exact messages that resonate with the specific audience may improve communications as well. Lastly, as said before, speak in terms that the business understands and that means the terms that resonate with the audience.

References

Al-Moshaigeh, A., Dickins, D., & Higgs, J. L. (2019). Cybersecurity risks and controls. CPA Journal, 89(6), 36–41.

Anders, S. B. (2019). Cybersecurity tools for CPAs. CPA Journal, 89(6), 72–73.

Blum,?D. (2020). Manage risk in the language of business. In?Rational cybersecurity for business: The security leaders' guide to business alignment?(pp.?123-156). Apress. https://dx.doi.org/10.1007/978-1-4842-5952-8_5

Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015

Gallagher, C. G., Zielinski, K. L., & Boyle, D. M. (2019). The more you say. Internal Auditor, 76(2), 49–53.

Garcia Perez, A., Madzudzo, G., & Morris, D. (2018). Cybersecurity and the auto industry: The growing challenges presented by connected cars. International Journal of Automotive Technology and Management, 18(2), 105. https://doi.org/10.1504/ijatm.2018.10013319

Harris, S., & Maymi, F. (2021). CISSP all-in-One exam guide (9th ed.). McGraw-Hill Education.

Islam, M. S., Farah, N., & Stafford, T. F. (2018). Factors associated with security/cybersecurity audit by internal audit function. Managerial Auditing Journal, 33(4), 377–409. ?https://doi.org/10.1108/MAJ-07-2017-1595

Karanja, E., & Rosso, M. A. (2017). The chief information security officer: An exploratory study. Journal of International Technology & Information Management, 26(2), 23–47. https://scholarworks.lib.csusb.edu/jitim/vol26/iss2/2

Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15.

Rowe, J. (1998). No such thing as...the language of business: Colourless green ideas sleep furiously. Management Decision, 36(2), 117. https://doi-org.proxy1.calsouthern.edu/10.1108/00251749810204205

Vleet, J. E. (2012). Informal logical fallacies: A brief guide. University Press of America.

Weill, P., Apel, T., Woerner, S. L., & Banner, J. S. (2019). It pays to have a digitally savvy board: Having board members with experience in digital business is the new financial performance differentiator. MIT Sloan Management Review, 60(3), 41–45.

Wright, R. S. (2019). Should accounting be the language of business? Research Technology Management, 62(4), 53–55. https://doi-org.proxy1.calsouthern.edu/10.1080/08956308.2019.1613121

Wu, K., Sorensen, S., & Sun, L. (2019). Board independence and information asymmetry: Family firms vs non-family firms. Asian Review of Accounting, 27(3), 329-349. https://doi.org/10.1108/ara-05-2018-0110

Gerry Blass

President & CEO at ComplyAssistant

1 年

Edward, thanks for sharing!

回复

要查看或添加评论,请登录

Edward Marchewka的更多文章

  • Risk Communication: Reducing Affective Response

    Risk Communication: Reducing Affective Response

    Failure to communicate risks effectively results in executives and boards making inappropriate risk decisions (Hooper &…

  • Close the Gap

    Close the Gap

    Wachnik (2014) and Bergh et al. (2019) defined information asymmetry as a situation where one party has more…

    1 条评论
  • Selecting the Right Tool

    Selecting the Right Tool

    There are some posts and books that say risk matrices are worse than useless and often cite Cox (2008) and Cox & Popken…

    2 条评论
  • 1,460 Days Later

    1,460 Days Later

    I talk often about telling a better story and telling YOUR story. So here is a little into mine.

  • Understanding Negotiation

    Understanding Negotiation

    My kids have been into The Greatest Showman lately, so I get to see it a lot. And my wife downloaded both soundtracks…

  • Aggregate

    Aggregate

    I have written several articles with an emphasis on aggregation of metrics. Presenting tactical metrics will go over…

  • Your Next Board Meeting

    Your Next Board Meeting

    It is the end of Q1-2019 for those following the calendar year. Please permit me to ask this questions, How did your…

  • You Need to Tell a Story

    You Need to Tell a Story

    We've heard this mantra over and over again on you need to tell a story but I haven't seen this broken down in a…

  • IT is in the Name

    IT is in the Name

    Information Technology at the functional level has become a commodity. People expect to come into work, sit down at…

  • The Metrics Story

    The Metrics Story

    Metrics help to tell a story and tell that story to the right audience. When I present on this topic I use an image…

社区洞察

其他会员也浏览了