Hyperventilating about cyber – Part I

January 20, 2019 3 comments

It’s hard to see a survey these days that doesn’t include cyber as one of the top risks faced by organizations around the world.

But should it be?

Are we hyperventilating unnecessarily? Or is the risk so severe that such a reaction is justified?


This is the first of two posts I plan on the topic. This one will talk about the effect of breaches on consumers, and then I will move on to corporations and my advice to risk and cyber professionals.


Over the last decade or so, I have traveled all over the world, sometimes on vacation but also to speak at conferences and lead training sessions.

While my preference is for the Hilton family of hotels (simply because I have more status with them), I have also stayed frequently at Marriott, Sheraton, and other properties.

So when Marriott announced a massive cyber breach in November, I wondered how it would affect me personally.

The first thing I noticed was that while this was announced as a Marriott breach in the news (such as on NBC), the report didn’t make it clear that it only related to stays at hotels like the Sheraton and the Westin. NBC references Starwood, but not everybody knows which hotels are included in the Starwood family.

So what was stolen?

A January update by Marriott provided a little clarity:

  • The breach relates to stays at Starwood properties (not Marriots) since 2014.
  • The number of guests whose records were stolen is unclear. All we know at this point is that it is less than 383 million.
  • While 25.55 million passport numbers were stolen, all but 5.25 million were encrypted and the encryption appears to be secure.
  • 6 million credit card (referred to as payment card) records were stolen, but as of September 2018 only 354,000 cards had not expired. All the data were encrypted.
  • In addition to credit card and passport information, the hackers copied names, addresses, email addresses, phone numbers, and reservation dates.

What could that mean to me?

My information might be included, but I cannot see this as something of great concern.

What could the hackers do with it?

Not much.

The FTC has a useful piece of advice, which I recommend. But I already have my credit rating monitored, alerts on each of my credit and bank accounts for unusual activity, and don’t think I need to do more.

I cannot see how my passport number can be used to cause me harm. I don’t need to get a new one.

Certainly, the breach will cost Marriott (more in the second post). Lawsuits have already been filed (including this one), even though there is little evidence of harm to guests (IMHO).

My breath is normal. How is yours?



  1. Am I missing something? Can hackers misuse my passport number and stay information?
  2. Is this something I should be hyperventilating about?

Making intelligent decisions that consider cyber risk

January 15, 2019 5 comments

Last month, I said People don’t know how to assess cyber risk.

I quoted from a McKinsey report (my highlights):

  • Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
  • Most reporting fails to convey the implications of risk levels for business Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
  • At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”

Osterman Research published the results of a survey of board members in 2016. They concluded (my highlights):

  • 85% of board members believe that IT and security executives need to improve the way they report to the board.
  • 59% say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.
  • 54% agree or strongly agree that reports are too technical.
  • Only 33% of IT and security executives believe the board comprehends the cyber security information provided to them.

Why is that?

I believe it’s because most reports are either a list of risks or a list of prioritized information assets (produced by following guidance from ISO, NIST, or FAIR).

A list of risks may be technically sound.

But is such a list actionable information?

Does it help boards and executives make the quality strategic and tactical decisions necessary for enterprise success?


Protiviti recently shared the results of a CISO round table. Are the CISOs talking about changing the paradigm from managing a list of cyber risks to helping the organization’s leaders take the right level of risk and manage the business for success?

No. They continue to talk about their silos. Stories about breaches are interesting but may not relate to running the business to deliver value.


Executives need information that will help them decide how much to invest in cyber when those same resources could be applied to highly profitable investments in new technologies, product design, acquisitions, a marketing campaign, hiring, and so on.

They need to know the likelihood of a breach that would result in their failing to achieve their objectives as an organization.


CISOs and consultants complain that boards don’t understand cyber and information security.

It’s true: they don’t.

Why should they learn the language of cyber? They can’t be experts in everything, including not only cyber but financial management, hedging, marketing, product design and development, and so on.

No. Those charged with managing cyber have to learn how to communicate their concerns in the language of the business instead of asking board members and top executives to learn technobabble.

Even there was a member of the board that talked technobabble, cyber risk still needs to be translated into common business language so that everybody can see the big picture.

Cyber is just one of many sources of risk to enterprise objectives, and business decisions should be made based on reliable information and a view of the big picture, one that includes all the related risks.


My advice for CIOs, CISOs, and CROs:

  • Take each of the organization’s strategic objectives, such as “revenue growth of 10%”
  • Consider how a breach might affect each objective
  • What is the magnitude of breach, what would have to happen, for there to be a significant effect on the achievement of one or more objectives – an effect that would be considered unacceptable by leadership?
  • How likely is that?
  • Communicate that information to leadership, but first work with those responsible for reporting overall risk to objectives and integrate cyber risk into their reporting
  • Help the board and top management understand whether cyber-related risk, together with other sources of business risk, means there is an unacceptable likelihood of failing to achieve enterprise objectives
  • Help leaders decide how to respond when the overall risk is unacceptable (i.e., the likelihood of success is lower than desired)
  • In other words, help them manage the business rather than a list of risks or information assets


I welcome your thoughts.

Excellent advice for all of us involved in managing risk

January 9, 2019 10 comments

The International Federation of Accountants (IFAC) has published a first class document, Enabling the accountant’s role in effective enterprise risk management.

While it is focused on accountants, primarily in Finance, the explanation of the value and purpose of enterprise risk management should be required reading for boards, executives, and practitioners as well.

Frankly, I wanted to excerpt half the booklet, but here are some of the more valuable portions with highlights by me.

To add value, accountants [and the rest of us – ndm] need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.

Business requires taking risks and seizing opportunities to achieve success.

The accountant’s [and everybody else – ndm] primary role in ERM is not solely to mitigate risk, but to promote and facilitate effective risk and opportunity management in support of value creation and preservation over time. This involves being focused on the benefits of intelligent risk-taking in addition to the need to mitigate and control risk.

ERM requires information and analysis that may indicate success or failure, and support decisions around potential courses of action.

The need for effective ERM has never been greater as organizations navigate complex and interconnected risks to their business models and operations.

The reality is that risk management is underdeveloped in many organizations; a reactive approach to risk management is currently the norm. Risk management is typically siloed rather than seen as a core competence and strategic asset. Consequently, risk management processes are ineffective and inefficient and not seen as adding value to decision making and responding to uncertainty.

To be effective partners and contributors to an organization, accountants need to understand the principles of risk management and how they can be implemented to manage opportunities and threats as part of the existing planning and control management cycle.

A challenge in effectively managing risk is that risk oversight and management are poorly understood, resulting in different interpretations and approaches, which depend on personal experiences, organizational role, and sector. For example, in financial services, or in managing financial performance, the measurement and assessment of risk has been a predominantly quantitative exercise designed to avoid loss or fraud. Since the financial crisis, this approach is recognized as being too narrow to adequately inform decisions and manage uncertainty. In other sectors, specific challenges such as health and safety or digital and cyber risk are predominant risk areas which ultimately shape the overall approach to managing risk.

The challenge that arises with applying risk management activities solely through a lens of risk mitigation is that it increases cost with little benefit to the organization’s resilience and success.

Risk management should sit at the heart of every organization. Effective risk management requires different parts of an organization and multiple processes to come together to understand collectively how the organization is exposed to uncertainty, and how this uncertainty may undermine the achievement of business objectives, and the opportunities for growth and innovation. It is about ensuring an organization is safe and resilient, but that it also continues to thrive.

Risk management is therefore fundamentally about making decisions in the context of uncertainty. It involves understanding the past, present and possibilities for the future. ERM processes involve identifying, assessing, and treating uncertainty and related risks and opportunities that could affect the outcomes of an organization’s objectives.

Ultimately, ERM gives the board and managers a better understanding of how risk affects the voice of strategy. It also provides confidence that all levels of the organization are attuned to the risks that can impact strategy and performance, and that these are proactively being managed.

An effective contribution to ERM involves enabling decisions and driving insights to decision makers. There are various elements to better supporting decisions in risk management. More informed risk-taking and decision-making requires high quality information about opportunities and risks and their implications. Ultimately, high-quality information is crucial to good decision making as it reduces uncertainty – and can support a higher risk appetite where appropriate.

The guidance misses one important piece of advice that I would share with any CFO (or board member, CEO, and practitioner).

That advice is that leaders of the organization, such as the CFO, need to lead everybody to understand risk management the way it is discussed by IFAC.


I welcome your thoughts.

Transforming risk management in 2019 and beyond

January 3, 2019 15 comments

I was thinking about a post for the New Year that would highlight the changes I would like to see in both practices and thought leadership around the management of risk, when I listened to a new video from my good friend, Alex Sidorenko.

Alex had been attending a risk management conference in Dubai led by another friend, Alex Dali. In this video, he shares a key takeaway.

The risk management leaders at this global conference said that there were two indicators of effective risk management.

The first is that business decisions are informed and intelligent (my words). The consideration of risk is integrated into the setting and then the execution of strategies through daily decisions.

My caution is that when we are talking about ‘risk’, we should be thinking about all the things that might happen, not only harms.

In fact, as I wrote in my last book, we should be avoiding the word ‘risk’ as management has a negative perception of it.

  1. Most think it only relates to harms
  2. Managers tend to think of risk management as a compliance activity

In fact, if we think instead about anticipating what might happen and making informed and intelligent decisions with that in mind, there will be a common purpose and understanding between practitioners and the leaders of the organization.

That’s the second set of indicators: a common understanding and language around risk.

My preference, which I will restate, is that we discard the technobabble of the risk practitioners in favor of using the language of the business. (Where everybody in a mature organization is comfortable with technobabble, then continue to use it – as long as it is not focused solely on harms.)

I come back to a Deloitte study from a few years ago.

Executives were asked whether risk management helped them set and then execute on strategies. Only about 13% said it made a significant positive contribution.

So, Alex, my vote for an indicator of success is when the leaders of the organization in the executive suite and on the board wholeheartedly answer the Deloitte question with a hearty thumbs up!


In 2019, let’s press the regulators, consultants, and other thought leaders to focus less on managing harms (especially in silos like vendor risk management) and more on helping those leading the business anticipate what might happen and make intelligent and informed decisions.


I welcome your thoughts.

Advice for audit committees and oversight of external auditor

December 15, 2018 5 comments

While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.

One of the reasons is that most of the advice given audit committees comes from the audit firms, and they are hardly likely to suggest that they are asked penetrating questions.

Another reason is surely political: who wants to upset the auditors?

I wrote two blogs on this topic, The effective audit committee and Evaluating the external auditors, which you may want to visit.


In my experience, both as the leader of internal audit functions and more recently as an advisor to organizations, audit committees fail to challenge the external auditors and ensure they are providing quality services at an appropriate cost.

Some of that may be because they see the auditors as having to be independent and don’t feel they should be questioning either their expertise or insight.

Both can be questionable and the audit committee needs to ensure that the auditors are doing the job they are paid for – well and at reasonable cost.


I want to bring my blogs up to date by talking about the external auditors’ work on SOX.


As you may know, I literally wrote the book for the IIA on SOX(now in its 4th edition). I also teach SOX managers and advise organizations on efficient and effective SOX compliance.

What I am hearing, again and again, is that the audit firms are NOT following PCAOB Auditing Standard No. 5 (since renumbered but unchanged) – which they are REQUIRED to follow.

The standard mandates that the scope of work is based on a top-down, risk based approach.

The only controls that need to be included in the scope and tested are those that are relied upon to detect or prevent an error or omission that is not only material but reasonably possible.

Instead, perhaps out of fear of being criticized by the PCAOB Examiners, the auditors are demanding (and that is the correct word) that management’s scope and work include areas where there is not such a reasonable possibility. The latest (but not only) fear-driven scope creep is around information security and cyber – and who has heard of a hacker altering the financial statements?

This is driving up both the cost of management testing and external auditor fees.


Why does this matter to the audit committee?

They are responsible for oversight of the external auditors.

When the auditors feel that they can do whatever they like, ignoring management’s comments that “there is no risk”, I have to feel that something is wrong.

I want the auditors to focus on areas where there is a real risk, one where there is a reasonable possibility of a material misstatement.

I don’t want them distracting management and consuming their limited resources.


Please, audit committee members, ask your audit partner whether his or her team are following a top-down and risk-based approach, and agreeing on the risks with management (and internal audit, as appropriate).

If the answer is unclear, I have to question their capability.


I welcome your comments.



Stop managing and start taking risk

December 9, 2018 8 comments

Don’t do that, the risk is too high!

You need to spend more money on cyber/fraud prevention/anti-money laundering/(fill in the blank) because there is a high risk of something really bad happening.

You can’t announce the new product/roll out the new system because it’s not ready. We haven’t fixed all the bugs.


The people who shout these warnings are focused on risk. If they see it as high, they see red. STOP signs. DANGER!

stop signdanger


But, what about the people who are trying to get something done?

Do they see prudent, business-oriented people or do they see the boy who called wolf (from Aesop’s fable) or Chicken Little calling out that the sky is falling?

Do they see people who are helping them or getting in the way of running the business?


In a recent RiskMinds video (thank you for sharing, Alexei Sidorenko) Nassim Nicholas Taleb, who is famous for talking about black swans, tells us that there should be no risk management and we should be studying risk taking.

In fact, in his Amazon bio, he says he “spent two decades as a risk taker before becoming a full-time essayist and scholar focusing on practical and philosophical problems with chance, luck, and probability”.

I couldn’t agree more.

Focusing on avoiding hazards (things that might go wrong) is a recipe for failure. You only succeed in life and in business by taking the right level of the right risks.

It all comes down to helping leaders make informed and intelligent decisions. Informed means having as good information as you can about what might happen, both good and bad, on your way to achieving your objectives – whether your objective is to grow revenue or lose weight. Intelligent means involving the right people, considering your options, leaving your biases behind (see here), and taking the time to think things through.


Taleb is asked what he sees as the greatest risk. His answer (in my translation) is that when you are not taking risk intelligently (and that can mean steaming ahead through the shoals when the need requires) you are putting your future and its success ‘at risk’.


Unfortunately, most practitioners see their job as requiring them to call out that the sky is going to fall if we don’t delay/spend money/change our practices/etc.

A list of risks is not a list of ingredients for success.


What emphasizes the scale of the problem is that the interviewer doesn’t understand what he is saying. She doesn’t hear the point that we shouldn’t be making a list of risks but enabling better risk-taking. Instead, she wants his help to prioritize her list of risks.


In Risk Management, a recent article purports to guide information security practitioners on how to assess and manage the security of information. But nothing is said about understanding how a security incident could affect the business and the achievement of its objectives.

The author is managing data security risk, not helping people take the right level of cyber risk.

By the way, the only way you can eliminate cyber risk is by closing the business (and it’s questionable whether it is totally eliminated even then). The question for business leaders is how much cyber risk should they take; or, putting it another way, how much should they be spending on cyber defense, detection, and response?

These are business decisions, not risk decisions.


There are too many articles, frameworks, and standards that focus on managing risk, and not nearly enough discussion on taking the right risk (after weighing the consequences) through informed and intelligent decisions.


What do you think?

Why is internal audit not seen positively?

December 6, 2018 15 comments

One of the findings in a new report by Deloitte, their 2018 Global Chief Audit Executive research survey, is that only 33% of CAEs believe their function is seen positively.

This is awful, especially when you consider that this is the assessment by CAEs. I would assume management and maybe the board would not rate IA as highly as those responsible for the function.

The survey also found that while there has been an increase in the percentage of CAEs who believe they and their team have strong organizational impact, the new level (up from 16%) is still is only 40%.

Again, this is the perception by CAEs.

Note that even some who believe they have strong influence do not think they are perceived positively.

Deloitte sees the solution to the problem as the use of new technologies.

I think that’s nonsense.

This is what I believe is behind the problem:

  1. Internal audit more often than not fails to address the more significant risks to the business as a whole.

Internal auditors and the work they do don’t matter (except to check the box). They are not contributing to the effective management of the risks that could cause the organization to fail to meet its key objectives, such as those relating to market share, revenue growth, margin improvement, and so on.

They are not auditing the risks and issues that are on the agenda of the executive committee and the full board.

They are not looking at what is being managed by the top of the house. Instead, they are auditing risks to processes and such. Risk-based, yes; but not enterprise risk-based.

Most of their findings, in the words of a former CEO and current chair of audit committees, are “mundane operational matters”.

CAEs should consider moving to an enterprise risk-based audit approach, as discussed in the UK Chartered Institute of Internal Auditors’ 2014 guidance and (in a more detailed fashion) in Auditing that Matters (2016).

One way to ask if any planned audit is mundane or potentially consequential is to ask “who would be concerned if the audit found that the management of the risks addressed and related controls were inadequate?” If findings would never merit the attention of the CEO or the full board, why is the audit on the audit schedule (excepting projects required by regulators)?

Stop asking what the risks to a business unit, department, location, or process are.

Start asking what could cause the organization to succeed or fail?

Stop auditing what used to be a risk and start auditing what will be a risk that needs to be managed this and the next period.

Now what can we do to help?

  1. Internal audit limits its work product to standard, formal audit reports. It does not provide the timely advice and insight it could, limiting itself to assurance reports after the fact.

In too many cases, IA does not work with management to agree on the risk when it finds issues and what needs to be done for the business as a whole – which could mean agreeing that taking the risk is appropriate. Instead, IA writes a report and flings it over the wall for management to respond.

In too many cases, IA delays communication of its assurance, advice, and insight for weeks or months.

If the results of the audit are consequential, management needs to know yesterday!

Communicate what leaders need to know, when they need to know it, in a way that is easy for them to absorb and act on.

According to Deloitte, about a third of CAEs take more than a month to issue an audit report. I’m not sure what value is created, although I am sure the cost is high.

There really aren’t more than these two points.

Of course, it takes the right CAE and team to audit and then communicate what matters.

Much more in the book.

BTW, if you are auditing the wrong stuff and communicating late and poorly, it really doesn’t help to have used advanced analytics or RPA.


What do you think?


I think is time for the IIA to establish a task force to discuss how to turn this all around.