Home > Risk > Making intelligent and informed decisions around cyber

Making intelligent and informed decisions around cyber

The experts continue to bombard us with their advice, insight, and guidance for addressing cyber.

One of those experts, KPMG, recently shared What’s next: Key cyber considerations for 2019. Unfortunately, I don’t think it has much to say that is new or valuable – it points out what we should all already know. Frankly, its more a marketing piece than thought leadership.

The FAIR Institute has probably the best methodology for quantifying cyber exposure. Their chairman has penned an interesting document, Understanding Cyber Risk Quantification, a Buyer’s Guide.

He makes a number of points with which I agree, including:

  • The cyber risk landscape is increasingly impactful, complex and dynamic, and organizations have limited resources to apply to the problem.
  • Furthermore, every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives.
  • It’s important to recognize however, that measuring risk quantitatively shouldn’t be a goal in itself. What is most important is ensuring well-informed decisions through reliable and meaningful risk measurements (whether qualitative or quantitative).

Unfortunately, the decisions envisaged by the author are what I would call siloed decisions. He talks about funds being allocated for cyber and how the FAIR methodology can be used to decide where to spend those funds.

The FAIR and other methodologies and guidance are not nearly as useful as we need in providing the information that executives need to make strategic and tactical decisions, such as:

  • How do I ‘aggregate’ the various risks to my business and its objectives? How do I see the big picture so I can consider whether the potential rewards from a new venture outweigh all the related (downside) risks? A cyber risk assessment using FAIR or other approach doesn’t give me something I can readily add to other business risks to see that big picture.
  • How much should I invest in cyber when (as pointed out in the FAIR document) “every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives”? When is it right to accept cyber risk?
  • How do I compare the value to the business of investing in cyber protection to the value obtained from an investment in new products or a marketing initiative?

I tried to address these and other questions in Making Business Sense of Technology Risk.

Have you seen an approach that works, providing management and the board the information they need to make strategic and tactical business decisions?

A list of risks, or a prioritized list of information assets, is not helpful in deciding whether to launch a new highly-automated product or open an office in Warsaw.

I welcome your thoughts.

  1. June 28, 2019 at 10:24 PM

    Very good points

  2. Osama Salah
    June 28, 2019 at 11:47 PM

    Valid point. Wouldn’t the output from a FAIR analysis (or any other validated risk analysis model for its specific problem space) be a useful input for example to the ERM team where the envisioned aggregation and investment decisions can be made? The ERM team has to start somewhere to understand the decision that needs to be made.
    What appears as a siloed approach could be viewed as a decomposition of the problem into the smaller parts that are easier to address and then put back together again to address the bigger picture.

    • Norman Marks
      June 29, 2019 at 5:49 AM

      How do you aggregate cyber and other sources of business risks when they are assessed using different methodologies? That’s what I address in the book.

      • Osama Salah
        June 29, 2019 at 7:59 AM

        The book is on my reading list. Will get there eventually 🙂

  3. Sherry Scheffler
    July 1, 2019 at 6:54 AM

    Agree, great points. Is anyone else having issues with this link: Making Business Sense of Technology Risk? I’m getting this error: Sorry, no posts matched your criteria.

    • Norman Marks
      July 1, 2019 at 7:00 AM

      Sorry for that – I have corrected the link

  4. Anonymous
    July 1, 2019 at 7:05 AM

    Excellent. Thanks!

  5. Mimi
    July 1, 2019 at 11:07 AM

    I am only writing this letter as an outlet for my own discontentment with the internal audit profession in its entirety. In 12 years of internal auditing in Texas, I have never met an African American Chief Audit Executive or a qualified female Chief Audit Executive. In fact, I’ve only met one audit executive who wasn’t white – an underpaid, educated Filipino male who worked for a methanol startup in Southeast Texas. I started my own internal audit consulting firm in 2014, and, inevitably, relinquished my title as Senior Internal Auditor this year.

    The lack of color in the internal audit sector is disappointing, but what disappoints me more is the reliance on racist “winning” strategies of the past to produce results that are lackluster at best. As the daughter of a Nigerian, I’ve encountered my fair share of racism at work. I once worked for Anne Mercer, former VP and current Director of the Institute of Internal Auditors. Ironically, Anne’s internal audit team was co-sourced with Protiviti, a company who earns their billings not through their incompetent staff but through bribes of event tickets and vacations. Protiviti’s bribes were so great that Anne chose to look the other away when a Protiviti consultant, Jessica Vergara, from Florida (and currently based in the United Kingdom under Protiviti’s directives) told me to return to Africa. After attempting to resolve the issue by speaking with Jordan Reed, of Protiviti, Anne and witnesses, I promptly resigned, only to be placed in an audit role years later by Robert Half – Protiviti’s parent company.

    Robert Half has a knack for collecting a hefty recruiting fee from employers while securing a low salary for the employees presented. In this case, the Robert Half recruiter blatantly lied about the bonus compensation package for the position in efforts to get me to agree to the job. Worse, after I accepted the job and was hired, one of my new co-workers admitted to me that he felt there was reverse-racism in the hiring process – Robert Half only sent African American candidates to interview for the position I was offered. My former co-worker expressed that he did not hold any grudge against me for accepting the opportunity, but he wished that management would have given other races a fair chance. While fulfilling my duties for that role, I was treated as a slave. I was made to fetch coffee, water and lunch for a disabled team member. For whatever reason, the company had failed to properly accommodate the woman’s disability. The management team made it clear that she was viewed as a liability, and I was to care for her without complaint. Once, I was washing a dish in the office’s kitchen, and a woman from another department walked in and asked whether I would oblige her by coming to her house to wash her dishes and clean.

    I could share many more experiences about experiencing racism, sexism and other modes of disrespect, but I won’t. What I will say is that I am shocked at how long I lasted in corporate internal audit roles. I am shocked that there has not been an uprising of sorts in the lower ranks of audit departments for pay inequality, racism and harassment. Without the assistance of my mother or father, I fought my way through college and became a first-generation college graduate. I worked lots of odd jobs before my low-paying internal audit internship in marine fabrication.

    After twelve years in internal audit, I am shocked to receive employment salary offers that are between $70k and $80k per year. The Institute of Internal Auditors should market the profession as it is – a profession where the right skin color and the right genitalia will award you with top pay and benefits. After working for an audit director in Dallas whose annual compensation package was $2 million, I can honestly express that pay in the internal audit sector is less about skill and more political than any spectacle we can watch in the media. Audit Committees across the country are selecting audit directors who look like them, speak like them and add zero value. Huge compensation packages are buying the silence of companies’ most valuable consultants.

    In an organization, there is no department that the internal audit function does not touch. As passionate as I am about internal audit and creating better businesses in the future, my patience with the environment no longer exists. The IIA should firmly discourage society’s worker bees of color from entering the industry, especially those who financed their own college education. To fail to do so is to create more meaningless debt and ensure a sharp decrease in worker productivity and investment.

    • Norman Marks
      July 2, 2019 at 7:14 AM

      Mimi, I am sorry to hear of your experience. But please don’t blame the profession or its leaders. The CAEs are chosen by executive management and the board.

      You should know that there are many female CAEs, including some from Texas (people I have known). Not only are there female CAEs, but there have been female chairs of the IIA. There are fewer of color, but then there are fewer auditors of color as well.

      Consider coming to the IIA International Conference in Anaheim next week to meet them.

  1. July 2, 2019 at 4:21 AM

Leave a Reply to Norman Marks Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: