How do you communicate risk in your enterprise?

233 views3 Upvotes8 Comments

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
We certify against seven industry certs, so the problem is, each of those frameworks have underlying similar performance expectations, but the narrative terminology language is different. So we ended up creating an integrated risk framework to lay the controls on top of each other. It accomplished a couple things: One is, it helps minimize audit fatigue, because you're pulling evidence against the same controls and you have one or two people that are presenting that evidence and it becomes an absolute. It just is really painful for the organization. The other is it provides the ability to quickly attest to good compliance practices, security practices. You can quickly interpret it. So it is a little bit of an upfront investment to create that framework but it buys you some time.
CISO, 1,001 - 5,000 employees
When I try to explain risk, I try to be as granular as possible and say, "When you want to talk about risks, our culture is going to be the biggest risk because we don't know what we don't know." There's six different IT departments, and the biggest hurdle I have to climb is that there's no compliance audit for the County. The County has an internal auditor; however, the internal auditor’s compliance scope is limited to finances. There is a need to educate on the importance of compliance and highlight the risks of non- compliance. I leaned heavily on convincing the elected official to make decisions that are defensible to protect their brand and reputation. 

I’m not IT security, I have a director that manages IT security. I'm enterprise risk. I'm a business person. And I try to dumb myself down by letting them know that I'm not going to say the word firewall, I'm not going to say fishing, I'm not going to say any of those words to you because I'm a business person. Now let's talk about how I could be your strategic partner to help you achieve your mission and goals. And so it's really trying to build trust, trying to make my services valuable to the businesses so they can say, "Hey, I can't deliver my product without the infosec team. I can't deliver my product and be successful without including the information security team." I'm getting it through agile processes of small wins, showing instant risk reduction of certain aspects of business and allowing those lessons learned to wrap back in and try to approach it again.
1 1 Reply
VP, Enterprise Risk Management in Software, 10,001+ employees

Don't let a good crisis go to waste when it happens, right? It sounds like you're doing all the things that you need to be doing. Making it real for them and all that

VP, Enterprise Risk Management in Software, 10,001+ employees
I've come from the risk world and reporting where I have found that people may glaze over, so my mantra is that the risk reports have to be relevant, timely and actionable. I want them to do something. And so what we try to do to make that happen is think qualitatively and quantitatively. If we're thinking about cyber, we are trying to figure out where the key risks are, what keeps us up at night. Those key risks should be mapped to something that we're doing to address them. And then what are the metrics that actually show how well we're doing? So for cyber, your IT infrastructure, actual data breach incidents, exceptions to your process, etc. I've never met a metric that's about to tell you that you're going to have a problem. People see numbers and metrics without context and say, “so what? What am I supposed to do with this?” So my focus has really been to make it more relevant so that we're bringing things to the table and we say, "We need to change our resource allocation or we need more money." We might not get it but it helps to make it more relevant.
3 Replies
CISO, 1,001 - 5,000 employees

We've tried a lot of that and we've come to the realization that the business is just not mature enough to interpret that type of stuff. They want to know good vs bad, and they want to see yellow, green, red. That's just where we are. Keep in mind that people who run a County are representatives of the people, they're not necessarily business people. And so trying to have that conversation is a thin line., especially when they think that you're just IT security.

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

That’s an amazing skill set that you're gaining: heavy influencing at a level that's off the charts. Even in my world, when I try to influence decision makers, it comes down to what really motivates them. That's the front of your conversation. So you are assessing your stakeholders and immediately what's going to motivate them. And then you build your discussion off of that. I know it's probably frustrating but it's an amazing set of skills right there.

CISO, 1,001 - 5,000 employees

We tell ourselves all the time, once we conquer this, we can go wherever we need to go as far as career wise. But it's also learning. The State of Texas had to change the legislature and they had to change its legislation to enact security. They had to change the law. And you're dealing with people who have to decide between firewalls and making sure people's houses don't flood like they do in Austin, Texas. I definitely need to take stuff that hasn't been done before in government and try to apply it and try to make it fit because Texas politics is a unique animal that textbooks won't help satisfy.

Chief Information Officer in Manufacturing, 10,001+ employees
I explain risk is simplistic terms centered around the audience receiving the risk. Different audiences understand different terminology, so my approach is to make sure I communicate in terms they can understand.

Content you might like

Malicious use of AI algorithms for targeted cyberattacks20%

Unauthorized access to sensitive AI models and data68%

Adversarial attacks compromising the integrity of AI systems9%

Lack of transparency and explainability in AI decision-making processes3%



Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
80.5k views72 Upvotes48 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
47.1k views133 Upvotes325 Comments


No, but we expect to be hit in the future.48%

No, and we don't expect to be hit by ransomware in the future.24%


2.2k views1 Upvote2 Comments