What tools or frameworks have you used to visualize cybersecurity risks in a digestible way for the board?
Sort by:
Regarding frameworks, I've been using NIST 800-30 Risk Management Framework for several years, and it's been a very good standard. It's well accepted. We've used it with the government as one of our clients, and they understand it well. Additionally, I would echo that FAIR is a great tool. It's very detailed and data-driven, which I like because it has the numbers behind it statistically.<br><br>
To help the board understand the risks, we talk a little bit about likelihood and impact. If we discuss that the risk itself is very likely to occur and it's going to have a significant impact on operations, they understand that, and it usually drives additional questions. Sometimes it gets a little technical, but we can pull them back. They really want to know what the risks are and how we address them. When we talk about any particular issue, we work with the business before we actually go into those board meetings to have discussions about likelihood from both an operational and a technical perspective. Then, being able to explain what that means to the company in terms of the impact on the bottom line is crucial.
I used the NIST 800-53 Risk Management Framework. My program is wrapped around the framework, so that way they get to see risks on the registry. They understand the model for scoring risk, and then there's a decision factor built within, and that seems to be very effective. If you're keeping it short and sweet and they see the red, yellow, greens, it's a nice visual to go along with the risk that you're presenting.
One common mistake technologists make when speaking to the board is focusing too much on the technology and solutions. For example, they might discuss the benefits and advantages one security solution has over another, but the board doesn't care about that. A great tool to use is FAIR (Factor Analysis of Information Risk). It's a risk analysis model with a common taxonomy and language, allowing technologists and risk managers to provide quantitative information to the board. The board wants to know if the organization is safe and if the money spent on cybersecurity is being used wisely. By using a risk-based approach, you can speak to the board in their language. It's like how we simplify language when speaking to young children—appropriate for the audience but not condescending. Using tools like FAIR enables you to communicate with the board as peers, focusing on the risk to the organization.