Cyber and the board

August 24, 2019 2 comments

There’s an interesting article in the Harvard Law School Forum on Corporate Governance and Financial Regulation. What the Capital One Hack Means for Boards of Directors has some interesting insights that merit the attention of risk, cyber, audit, and governance practitioners.

Much of the article is useful background information for board members, in particular the discussion on how hackers penetrate third parties (or fourth parties) as a way of gaining access to your network and its systems and data.

Here are some other interesting comments:

  • …vendors, partners, business associates, and other third parties whose outsourced operations become integrated within a company, can pose a challenging and existential cybersecurity threat to operations. Yet despite increased regulatory scrutiny; growing virtual threats at a global, national and state level; and a riskier business environment, most experts would attest that the relative maturity level of vendor risk management programs is still lacking.
  • …digital interconnectivity between vendor and customer creates an inherent risk as cybersecurity shortcomings of third-party vendors have become the go-to-attack vector for cybercriminals. In fact, PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties.
  • Given the explosive growth of outsourced technology services and the increasingly intimate cyber-integration and relationship of companies and third party vendors, boards need to monitor and challenge their third-party exposure and insure the proper implementation of safeguards and processes to reduce their vulnerability.
  • …cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.

The article focuses almost exclusively on breaches that result from weakness outside the enterprise network and its defenses. That is a limitation that should not be overlooked. There is much more to cyber risk.

But my main problem with the piece is that it asks too much of directors.

The board should not be asking all these (excellent) questions. It should be demanding that management have the answers.

It is not the role of the board to run the organization, understand, and then address all its business risks – including cyber.

It is the role of the board to ensure management is doing all of that well.


  1. The board should obtain assurance that management is capable of running the organization to achieve its objectives. That includes addressing cyber and other sources of risk.
  2. Management should ensure it has the answers to the questions in the article.
  3. The CISO, Risk Management, and Internal Audit can use the questions in the article for their own practices.
  4. Internal Audit should consider cyber risk in its planning and, where it is a serious source of risk, provide an objective assessment of the maturity of cyber prevention, detection, and response processes and controls.

I welcome your comments.



Join me at Risk Awareness Week

August 24, 2019 Leave a comment

Join me and 35 other amazing speakers at the Risk Awareness Week 2019. It will be broadcast online at from 14 to 18 October 2019.

Risk management is much more than having a risk appetite statement and policy, doing risk assessments once a month, and reviewing a list of top risks with executive management and the board.

Risk management is about changing how important business decisions are made, how goals are set, how performance against these goals is measured, and how success is achieved.

I have joined some of the best global risk management and decision science experts for Risk Awareness Week.

It will bring some of the leading risk management researchers and practitioners to your computer or mobile phone. It is designed to raise awareness about how the consideration of what might happen (the effects of uncertainty on objectives, aka risk) is an integral part of setting objectives and strategies, planning, forecasting, budgeting, daily execution, and performance management.

It is a 100% online conference that enables participants to tune into just the workshops of interest. More than 50 presentations will be broadcast over the 5 day conference. Participants can attend live sessions or watch the recordings.

Every workshop is specifically designed for decision makers and risk professionals alike. In fact, the workshops are less about risk management and more about making decisions

Will you join me?

A CIO talks business sense about cyber security and the CISO

August 17, 2019 1 comment

Every so often, I see an interesting piece on This time it is How To Talk To the Board About Cybersecurity.

A CIO shares his experience working with boards and advice on that challenge for CISOs.

Here are some useful comments (with my highlights):

  • If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
  • … while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
  • One of the most important things technical leaders can do in communicating with the board is to get on the same page ahead of time. In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations.

But for the board, the only consideration is how these two things are supporting (or hindering) business operations.

  • CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
  • Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.

There are a couple of key messages here that I have been sharing for several years, including in my book, Making Business Sense of Technology:

  1. Talk to leadership in business terms: what is required to achieve business objectives, whether that is security or technology innovation?
  2. While reasonable precautions need to be made to prevent a breach, that is an impossible goal. The capable hacker will get in. The question is whether it will take your organization the typical 8-9 months to know what is going on, or whether you will be able to detect a breach promptly and respond appropriately.

I welcome your thoughts.

New report on the cost of a cyber breach

August 9, 2019 7 comments

In Making Business Sense of Technology Risk, I refer to studies conducted by the Ponemon Institute and sponsored by IBM Security.

Their latest Cost of a Data Breach Report again has some useful information.

You may be surprised to hear that the average cost of a data breach is just $3.9 million. That sounds far different than indicated by the alarm bells screaming at you from all sides. Healthcare costs are typically much higher than average. They are where the ‘megabreaches’ have typically occurred, although large companies in financial services and retail have also suffered huge public disasters.

Does it make sense to invest tens of millions of dollars or more when the average cost is relatively low?

That’s one of the issues tackled in the book. For a start, while the cost may appear low, the disruption to the business and its impact on customers and partners may be much more significant. A small out-of-pocket cost may hide the fact that significant enterprise objectives will now be much harder to achieve.

Another challenge is that resources to invest are limited. How does the leadership of an organization decide whether to invest in cyber, a new marketing campaign, an upgraded product offering, or to reduce supply chain risk?

Another factoid in the report is that despite advances in detection, the average time to identify and contain a breach remains unacceptably high: 279 days. In addition, a breach can have significant effects that last two years or more.

One of the problems with studies and discussions around cyber is that this is only one of several sources of risk to enterprise objectives. To understand the likelihood of achieving a business objective, you need to consider all related sources of risk.

Unfortunately, neither COSO nor ISO (nor anybody else to my knowledge) has provided practical guidance on this challenge of aggregating disparate sources of risk to a single objective, nor shown us how to weigh that aggregate against the upside.

Maybe that will come. In the meantime, perhaps my book will help.

I welcome your thoughts and comments.


Are your business decisions failing because they are biased?

August 3, 2019 6 comments

Cognitive bias is something that all of us need to understand.

It affects our own decisions as well as those our leaders make in running the business.

It affects the setting of strategy as well as its execution.

It affects our and others assessment of what might happen (aka risk).

It affects our trust and belief in ourselves and those we rely on for information.

We need to understand how cognitive bias affects our and others decisions so we can fight it. It can lead us to making the wrong decisions and failing to optimize our and enterprise performance.

As I look back on my own career, I can think of many situations where I made what turned out to be a poor decision as a result of my own bias. For example:

  • I trusted people that I liked for their outgoing personality (charm) when I should have challenged their knowledge of the subject more thoroughly.
  • I hired individuals for their resume and certifications over others who probably had more imagination and curiosity.
  • I had too much respect for those in authority, trusting that they would follow through on commitments.

As you look at the decisions you make yourself, the ‘risk assessments’ you make or facilitate, the people who come to you with information, are you aware of how your biases may lead you astray?

What do we need to do to help those making business decisions become aware of their cognitive biases and combat them?

I think it starts with the essential first step of recognizing our own fallibility, our own biases.

I welcome your thoughts on this important topic.

A proactive approach to cyber risk management

July 28, 2019 8 comments

Watch this video from Korn Ferry.

What is important is that Korn Ferry is an organization that works with and advises boards and top executives.


They are right when they say that the CEO has to be proactively involved and that cyber is not an issue to be left to the techies, even the CIO, CTO, or CISO.

Let me repeat that: it is not an issue to be left to the CISO. The involvement of the entire leadership team is required to understand how a breach can affect the business and contrast that to other sources of risk.


They are right when they say cyber needs to be prioritized and treated the same way as any other risk.


But they don’t provide any practical guidance.


It is not sufficient to say that cyber risk is high, medium, or low.

The leaders of the organization need to be able to figure out what is the right level of resources to allocate to cyber defense and response; what is the right level of attention at board and executive committee level; and what should be communicated to shareholders and others.

It is important for practitioners and leaders to focus on the risk to the business, and not get hyped up by breach headlines or by eager consultants.


Resources and attention should be allocated commensurate with the potential for a cyber problem to affect the business.

Resources and attention should be allocated in priority relative to other sources of risk and opportunity.

But it is important to recognize that cyber is only one of several sources of risk to specific enterprise objectives.

Treating cyber risk in a silo (ignoring the need to consider the total level of risk and opportunity as leaders work to achieve objectives) is not going to result in the right decisions being made.


In Making Business Sense of Technology Risk, I point out the flaws in the siloed approach in the ISO, NIST, and FAIR standards. To be fair (pun intended) FAIR points out that even after the end product of their methodology is completed (a prioritized list of risks), a challenge remains in providing business leadership and the board with the information they need to understand how it all might affect success.


Rather than providing a prioritized list of high/medium/low risks, provide leadership with the information they need to make strategic and tactical business decisions.

Help them understand, within the context of competing demands for resources, what is the right level of investment, time, and so on they should make in cyber.

Help them understand when it makes sense to invest more and when it is right to take the risk.


I welcome your comments.

Is your SOX program both effective and efficient?

July 21, 2019 10 comments

Protiviti’s surveys and reports are always worth reading. One I look forward to is their annual survey on SOX compliance.

Those of you who are responsible for the SOX program or SOX testing at their organization are likely to find the benchmarking info in the 2019 survey, Benchmarking SOX Costs, Hours and Controls of interest.

However, I want to share (again) a note of caution.

Protiviti and others are talking about the use of analytics and other tools, such as RPA, for SOX testing.

But, the purpose of the SOX testing is to:

  • Confirm that the design of the controls relied upon to prevent or detect a material error or omission in the financial statements filed with the SEC are sufficient, if they are operated as designed, to address such a possibility. The likelihood of a material error or omission is less than reasonably possible.
  • Confirm, with a reasonable level of assurance, that those controls are being performed consistently as designed.

The end product is an assessment as to whether the system of internal control over financial reporting is effective; that means that the controls are sufficient to provide reasonable assurance that a material error or omission would be prevented or detected.

What do these newer technology tools do for us?

For the most part, they provide some level of assurance that the data, and possibly the transactions, are free from error.

But do they provide any assurance that the system of internal control is effective?

While the presence of errors is a strong indicator that the controls are not sufficient, the absence of errors is not a strong indicator that the controls are effective!

The data may be free from error even though the controls are not being performed at all!

In my SOX training classes (the next one is in October), I ask the attendees how many of them have had their homes burglarized in the last year. Only on the rare occasion has anybody raised their hand.

I then ask whether the fact that they have not been burglarized is proof that they locked all the doors and windows before they left the house.

I remember one time in England when, as an IT auditor, I was flowcharting and identifying controls in a very complex integrated system. One of the controls that management had identified was a comparison between data at one point in the system to the data at a much later point (a “run to run” control). When I examined the logic of the program that did the comparison, I found that it was coded incorrectly. At each point, early (file E) and late (file L), a file was created that could be compared. But the comparison program was comparing data in file E to data on file E – instead of file L.

The control was doing nothing. But the data happened to be clean anyway (we checked).

So, when it comes to the use of technology tools, will they provide the evidence you need that the controls relied on are both adequately designed and operated? Do they test the controls or only the data?

My second note of caution is to remain focused on whether the system of internal control over financial reporting provides reasonable assurance that material errors will either be prevented or detected. That refers to the possibility of errors in the consolidated financial statements filed with the SEC.

Too many, typically under pressure from the external auditors, are adding controls without asking whether they are needed to prevent or detect a material error.

                WHERE’S THE RISK?

The scope does not, and typically should not, include controls that would never result in material weaknesses should they fail. It’s not a matter of whether they are important controls, or required to address the risk-du-jour. It’s a matter of whether they are being relied upon to prevent or detect a material error in the filed financials.

One final point: I don’t care how many ‘entity-level’ controls you have. I only care whether you have selected the right controls to include in scope.  By ‘right’ I mean the combination of controls that can be relied on to function consistently and address the risk of a material error, and are efficient to operate and test.

I welcome your thoughts.