How do you effectively express cyber risk appetite to your executives? What’s your approach?
Sort by:
balance a view of our program controls vs key metrics like external 'scoring' services, internal phishing awareness metrics, vulnerability metrics, and what our program is actively blocking via Mitre ATT&CK view. Then bring in external breach / attack information regarding other companies impacts, responses, etc. like colonial pipeline. Couple this together into a meaningful 'business' terminology based discussion with your executive team. This has been successful in the past, in gaining a good converstation and a clear discussion on cybersecurity risk appetite regarding potential business impact of a cybersecurity event. The conversation is not a 'one and done' you have to build trust and evolve the discussion over time, ensuring you align to the business terminology used by the leadership team.
Hi there,
Risk appetite is hard to express because of the fact that no group of executives that I've ever worked with can give you an exact answer. One thing I would consider looking at is figuring out if there are some metrics you can leverage in your organization that would allow you to articulate the cost of not doing anything about a particular issue vs the cost and risk reduction of doing something.
I would recommend you check out: https://www.gartner.com/document-reader/document/4785532 which talks about creating Outcome Driven Metrics.
This will allow you to talk to your executives using some real world numbers and will allow you to show what potential effects an investment may have on the overall risk the organization is facing. A good example of this is the time it takes for you to remediate vulnerabilities. You can show that at the current budget it may take you 45 days to remediate critical vulnerabilities. You can then calculate out your risk exposure in $s and make a case that you may need $xyz to decrease the average remediation time from 45 to 30 days, thereby eliminating $xyz in risk expose.
I truly feel that until you can articulate it in some language that makes sense to executives, they are never going to be able to tell you what their risk appetite is in a way that you can translate into operational value.
HTH,
Sven
Cybersecurity Risk Appetite can be communicated to executive forum when its aligned to businesses objective and presented as a relevant metrics. The metric may further drill down to reflect how Cybersecurity Risk Appetite reflect against top performing businesses functions providing insight how improvement may lead to support the overall growth.
Additionally theae can be helped by presenting benchmarking and comparisons