The state of information or cyber security today

December 15, 2017 2 comments

A number of recent publications talk to this topic:

All of these are worth reading.

The Cisco report reads at times more like a marketing pitch, inferring that too many companies use multiple security vendors’ solutions and would do better with one (from Cisco). But they do make some interesting points:

  • The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day.
  • Twenty-seven percent of connected third-party cloud applications introduced by employees into enterprise environments in 2016 posed a high security risk. Open authentication (OAuth) connections touch the corporate infrastructure and can communicate freely with corporate cloud and software-as-a-service (SaaS) platforms after users grant access.
  • An investigation by Cisco that included 130 organizations across verticals found that 75 percent of those companies are affected by adware infections. Adversaries can potentially use these infections to facilitate other malware attacks.
  • Increasingly, the operators behind malvertising campaigns are using brokers (also referred to as “gates”). Brokers enable them to move with greater speed, maintain their operational space, and evade detection. These intermediary links allow adversaries to switch quickly from one malicious server to another without changing the initial redirection.
  • Adversaries work nonstop to evolve their threats, move with even more speed, and find ways to widen their operational space. The explosive growth in Internet traffic—driven largely by faster mobile speeds and the proliferation of online devices—works in their favor by helping to expand the attack surface. As that happens, the stakes grow higher for enterprises. The Cisco 2017 Security Capabilities Benchmark Study found that more than one-third of organizations that have been subject to an attack lost 20 percent of revenue or more. Forty-nine percent of the respondents said their business had faced public scrutiny due to a security breach.

We should all be concerned with these survey findings.

It’s not sufficient to have the best tools if you are unable to respond to alerts.

Even if you outsource (as I suggest) your security infrastructure, company personnel need to be able to react promptly.

As we all know, the threats and the capabilities of our adversaries are expanding, not diminishing.

The FAIR Institute’s findings also give cause for concern.

It is important to recognize that the respondents to the FAIR survey were already involved, if not using, that organization’s cyber risk methodologies. You would expect them to be far advanced compared to the general population.

FAIR uses a maturity model (see the paper) which is reasonable – except I wish it related what could go wrong in technology to business risk.

The principal finding is this:

Only 5% of respondents rated their organizations as “Strong” across ten or more of the fourteen factors.

In addition, they said:

On average, risk management maturity levels were low, regardless of industry or organization size. Interestingly, the four highest-scoring organizations came from different industries, which suggests that maturity isn’t the exclusive domain of any one industry.

If you don’t know what the risk is, you cannot know what to do about it.

Their conclusion is:

… cyber and technology risk management programs may be focusing on the trappings of risk management (putting policies, processes, and technologies in place) rather than the fundamentals of well-informed decision-making and reliable execution.

EY also sounds a number of alarm bells. Their key findings include:

  • 87% say they need up to 50% more cybersecurity budget. However, only 12% expect to receive an increase of over 25%
  • Only 12% feel it is likely they would detect a sophisticated cyber attack!
  • 89% say their cybersecurity function does not fully meet their organization’s needs

PwC talks mostly about the Internet of Things and robotics, but doesn’t, unfortunately, seem to add much to the discussion.

So what are we to do?

EY makes a fair point (no pun intended).

Cyber practitioners do not believe they are getting the budget they need to be effective.

But, why is that?

I would suggest it’s because they are unable to explain to senior management, the ones who hold the purse strings, why cyber matters to the success of the organization.

Too often, as is in the case of these surveys, all the language is technical cyber and the risks are expressed in terms of technology assets instead of in business terms.

It is essential for senior management to understand how a cyber breach could affect enterprise objectives and the delivery of value to customers and other stakeholders.

That remains my issue with the FAIR methodology.

Why can’t we take each of the enterprise objectives (such as earnings per share) and explain how it could be affected by a cyber breach?

Management needs to weigh the value of an investment in cyber against the value of an investment in a new marketing program, the acquisition of a company that will extend its product range, and so on.

So, let’s:

  1. Understand how a cyber breach could affect the enterprise in business terms
  2. Consider how much risk we are willing to take, considering the cost (and opportunity cost) of additional investment in cyber
  3. Evaluate the alternatives, including outsourcing cyber
  4. Act but continue to monitor, learn, and adapt

This (cyber) is not a problem that is going to away any time soon. (My hope is that AI will provide a solution in time.)

So it is essential for us to have a disciplined process for determining what to do about it.

I welcome your thoughts.



The Great Debate: COSO ERM vs ISO 31000

December 12, 2017 13 comments

A recording of webinar discussion between Tim Leech, Alexei Sidorenko, and me (moderated by Carole Switzer) is now available at:

I would love to hear you reactions and comments.

Key Principles of Successful Risk Management

December 8, 2017 12 comments

First, let’s congratulate Jim DeLoach for his recent recognition by the National Association of Corporate Directors. He received their Directorship 100 award this week.

Now, let’s look at his latest risk management post.

His 5 Key Principles of Successful Risk Management are:

  1. Integrity to the discipline of risk management
  2. Constructive board engagement
  3. Effective risk positioning
  4. Strong risk culture
  5. Appropriate incentives


Each is important.

But are they the key to successful risk management?

Are they half as good as the principles in ISO 31000:2009 or in World-Class Risk Management? The latter are:

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

How about these?

  1. Focus on enabling success rather than avoiding failure
  2. Help everybody make informed and intelligent decisions, understanding what might happen and acting accordingly
  3. Obtain reasonable assurance that people are making quality decisions and taking the right risks

The rest is detail.

Somehow, we need to move the practice away from a periodic review of a list of risks (which Jim refers to as enterprise list management) and to increasing the likelihood and extent of success.

I welcome your thoughts and commentary.

Risk and Game Theory

December 1, 2017 10 comments

The Cuban Missile Crisis is frequently cited as an example of the use of Game Theory.

I am talking about the situation confronting the Kennedy government when they found that the USSR had installed missiles in Cuba that were capable of hitting American cities with nuclear weapons.

Here is a link to a summary of the crisis, if you are not familiar with it.

Here is a different link about Game Theory and the Cuban crisis.

I see this as an excellent example, not only of Game Theory, but about risk management.

Game Theory is not limited to international crises.

I think there are situations in today’s business world that could benefit from similar thinking.

For example, take these situations:

  • You want to increase your market share and one approach is to lower prices. But how will your competitors respond? Will this lead to a price war? Will your existing customers be tempted to treat your product or service as a commodity and switch to buying from the lowest cost source instead of respecting your innovative offering and showing loyalty to your brand? Will the move erode your margins and negatively affect your share price, spooking investors? Will it succeed because your competitors will be unable to respond effectively? Do you have the cash and other reserves to support a prolonged period of lower margins?
  • Your engineering team is struggling to produce a full range of next generation products that are price competitive. What will happen to your current customer base if you decide only to move forward with a limited range? What will your competitors do? Will they similarly focus on the more profitable lines or will they seek to take advantage of your decision not to offer a full range? Will a focus on a more limited range of products enable you to gain a lead in innovation and gain market share? How will you explain this to your investors so that they don’t sell your stock? Is there an option to hire more people and support the full range, even if that means that your product will not be available for several months after your competitors’?

Each is a critical decision that your executive team and board have to make. Each option presents a variety of risks and opportunities.

It is important to consider not only your actions but also those of the other parties.

I will leave it to my friend, Ruth Fisher[i], to pick up the explanation of how Game Theory can help you assess the situation, understand and assess the risk, and then make an informed decision.


Ruth here.

What I like about using Game Theory to analyze a situation is that it forces you to understand what motivates each of the players who affect outcomes for that situation.

Let’s consider the basic setup of the game in Norman’s first example. Figure 1 illustrates the major players in the Market Share Game.

Figure 1: The Market Share Game

Ruth figure 1Your company, [1], competes against another company, [2], for customers, [3]. To win market share, your company must satisfy customers’ needs better than your competition does. In addition to winning customers, however, your company must also satisfy investors, [4]. You satisfy investors by maximizing the long-term value of the company.

When thinking about potential actions to take, you must consider the eventual impact of that action on your company’s profits over time: How will the action you take play out in the market? What will be your subsequent profits in the near future, the medium term, and over the long run? The answers to these questions come from evaluating how each of the players in the game will react to the action you take. In particular, you must understand

  • What aspects of your offerings do your customers value? How will your customers’ perceptions of product value change with the actions you’re considering? For example, will a price cut enhance the value of your offering to customers, eventually leading to more sales of your product in the future? Or will a price cut cheapen the value of (i.e., commoditize) your product in the eyes of customers, leading to fewer sales in the future?
  • How do your product offerings differ from those of your competitor? Will the action you take increase the value of your product to customers, relative to that of your competitor, over the short term, medium term, and/or long term? For example, a price cut that is immediately matched by your competitor won’t bring any long term value to your company. Alternatively, adding a feature to your offerings that your customers value, but that your competitor cannot match, will bring long term value to your company.

Let’s now consider Norman’s second scenario. You’re working on a new line of products, resources are scarce, and you have to decide whether (i) to focus your resources on only the most profitable products in the line, or (ii) to stretch your resources and offer the full line of products. I’ve illustrated the potential product line in Figure 2, where Product 1 is the lowest margin product in the line and Product 3 is the highest margin product.

Figure 2: Product Line

Ruth figure 2

The key questions in this scenario are whether or not

  • (i) There are complementarities (synergies) across the products in your company’s new line, and/or
  • (ii) There are complementarities (synergies) between your company’s new line of products and your company’s current (old) line of products.

More specifically,

  • (i) Do customers view Products 1, 2, and 3 as substitutes or complements for one another?

If they are substitutes, then you will lose fewer sales to customers by not offering the full line of products. For example, if you choose not to offer Product 1, then some customers who would have bought Product 1 might instead buy Product 2.

Conversely, if they are complements, then you will lose more sales by not offering the full line of products. In this case, if you choose not to offer Product 1, then you will lose sales to customers who still buy Product 2, but who would also have bought Product 1.

  • (ii) Do customers view Products 1, 2, and 3 as substitutes or complements for your current product offerings?

If they are substitutes, then you will lose fewer sales of current products to customers by not offering the full line of new products.

Conversely, if they are complements, then you will lose more sales of current products by not offering the full line of new products.

  • (iii) If you produce one of the new products, Products 1, 2, or 3, will that give you an advantage in the production or sale of the other new products? If so, then the margins on sales of Products 1, 2, and 3 are higher than you originally thought, and doing the full line will give you more of an advantage over your competition.
  • (iv) If you produce one of the new products, Products 1, 2, or 3, will that give you an advantage in the production or sale of your current product offerings? If so, then, again, the margins on sales of Products 1, 2, and 3 are higher than you originally thought, and doing the full line will give you more of an advantage over your competition.

Actually, the second situation benefits as much from a systems analysis – considering your old and new product lines together rather than in isolation—as from the use of game theory. In both cases, however, using game theory helps you understand how each player in a given situation will react to your company’s actions. In turn, this helps you better understand which option is best for your company.


Norman again.

If risk management is about anticipating what might happen and making informed decisions, then we have to consider how others will react.

But, too often we make assumptions about how they will react without considering what motivates them, and so on.

I believe Game Theory is an important tool for informed decision-making and risk-taking.

What do you think?



[i] Ruth D. Fisher, PhD, is the Principal at Quantaa, an economic consulting firm in Mountain View, CA. She is the author of Winning the Hardware-Software Game: Using Game Theory to Optimize the Pace of New Technology Adoption


Strategy or Objective driven risk management

November 26, 2017 23 comments

My thanks to Ryan Miller for sharing an interesting post by Mark McNamee of Grant Thornton.

Taking Risk Management by StORM has echoes of what both Tim Leech and I have been saying, namely that rather than managing risks we need to be managing the achievement of objectives (by managing risks to enterprise objectives).

I am starting to think we are all making this more complicated than it needs to be.

Yes, there is a need to inform those who rely on out SEC filings how “risky” the business is.

But, that is not how we need to run the business.

How about this?

  1. Set the right objectives to deliver value to stakeholders
  2. Establish what is needed from each executive, business unit, team, and so on to achieve those objectives
  3. Hold leaders of each area responsible and accountable for achievement of those sub-objectives
  4. Hold them accountable for understanding what might happen (risk) and making intelligent decisions as they run the business to achieve the sub-objectives
  5. Monitor performance and the likelihood of achieving enterprise objectives as a whole and sub-objectives at lower levels
  6. Periodically review those continuing risks and opportunities that may have a significant effect on enterprise objectives – but recognize that this periodic review is a relatively minor part of risk management

This is founded on the principle that we not only hire a CEO and other top executives to run the business as a whole, but leaders and managers at lower levels to run each part of the organization.

If we can get them managing the individual parts with the shared goal of achieving enterprise objectives, then that is a recipe for success.

You can only be an effective manager if you understand what might happen and factor that into your decision-making.

What do you think?

Nominate people who have made lifetime contributions to internal audit

November 21, 2017 1 comment

It is time to nominate people for lifetime awards.

Here is what the IIA has posted:

Call for 2018 IIA Awards Nominations

The IIA is asking for your nominations for its three highest and most prestigious awards. All three awards recognize individuals who have made outstanding achievements in the field of internal auditing:

Bradford Cadmus Memorial Award

For contributions to the global profession of internal auditing.

Victor Z. Brink Award for Distinguished Service

For contributions to the profession through global service to The IIA.

William G. Bishop III, CIA Lifetime Achievement Award

For impact on the global profession through a lifetime of accomplishments and dedication to The IIA.

Recipients of these awards receive complimentary registration and travel expenses for The IIA’s 2018 International Conference, which will be held in Dubai, UAE, in May with special recognition.

Learn more about the qualification requirements and to download the nomination form. The deadline for nominations is 10 January 2018.

If you have questions, please contact

I was honored to have been nominated several times, but was beaten out by some distinguished individuals.

Make your voice heard and honor those who have influenced you.

Additional details can be found at

A new role for the risk office?

November 19, 2017 13 comments

I was privileged to attend and speak at the MISTI SuperStrategies conference this week in Las Vegas. Chaired by the inimitable and incomparable Joel Kramer, as usual it was an excellent event.

I heard a couple of internal audit leaders from large organizations, with correspondingly large internal audit departments, talk about their use of predictive analytics and related tools (such as IBM Watson).

One called it anticipatory auditing, finding the fires before they get started.

The accounting and consulting firms have been pressing internal audit to use analytics to monitor and even identify emerging risks for a few years.

But I do not see that as an internal audit role.

Simply stated, it is management’s job to identify, assess, and address risk – including emerging risks.

Internal audit should not perform a management function, except in those few cases where they are directed to do so by the board because of their special skills. I view fraud investigation as one such activity.

No, it is management’s responsibility to use predictive analytics and related technologies to identify risk and changes in risk patterns.

It is internal audit’s job to provide related advice and insight, including reporting to the board and top management when the management team is not able, for whatever reason, to monitor risk.

Why then do I say there is a possible new role for the risk office?

While I believe that operating management should monitor risk with advice and mentoring from the risk office, there may well be situations where the risk office should be more directly involved.

For example, one bank uses analytics to detect trends or patterns in customer complaints.  They also periodically track the results of exit interviews (interviews by HR of staff when they resign their position).

Rather than establishing a data analytics unit in internal audit, with both software tools and data science expertise, I would consider putting that in the risk office. That would be especially useful when predictive analytics can be used across departments or functions to identify or monitor risk.

What do you think?

Do you agree that internal audit should get out of the risk identification and monitoring business and ask management (and/or the risk office) to do that job?

I welcome your perspectives.



I believe that internal audit should have all the tools necessary and appropriate to fulfill its mission.

Technology, such as advanced analytics and so on, can be of immense value and I used them frequently.

Its the use of such technology to perform the management function of risk identification and monitoring to which I am objecting.

If I was the executive responsible for any area of the business, I would believe it would be my responsibility to understand the related risks and changes in them. I would not want to be told about new or changed risks by internal audit.