It’s Finally Time to Perform!
In the last number of videos, I’ve discussed establishing a cyber risk management program's foundation using the first two guiding principles of COSO-- Governance & Culture AND Strategy & Objective Setting. This week, I will discuss the 3rd guiding principle – PERFORMANCE.
Again, COSO has 5 guiding principles:
Governance and Culture
Strategy and Objective-Setting
Performance
Review and Revision
Information, Communication and Reporting
Performance concentrates on how an organization considers risk while executing on strategy and achieving business goals.
In the COSO context, Performance isn’t anything you don’t already know. Businesses are increasing their dependency on technology; and digital transformation will increase that dependency. As such, the digital threat landscape continues to grow. That means that the likelihood of an organization having a cyber incident also continues to grow.
From practically the first day that we start studying to become a cybersecurity professional, we are taught that:
Risk Exposure = Impact x Likelihood
The key to minimizing risk is pulling on the two levers of “likelihood and impact” by identifying and prioritizing risk events and measuring how risk treatment plans perform.
THIS is what the C-suite cares about. They don’t care about the specific technology solution(s) used to minimize risk.
An organization will never be able to "secure all things all the time." More importantly, it shouldn’t because that would be an ineffective use of capital.
Leadership must ultimately assess the risk and determine the best course of action after factoring in business goals, the criticality of specific assets, risk appetite, and risk tolerance.
It is critical to elevate the awareness of cyber risks to the ERM team (OR senior leadership in a smaller company) in a manner so that each risk easily aligns with other enterprise risks. This will give leadership a composite view of risks that will aid them to:
·Identify conflicting risks.
Highlight, correlate and aggregate common risks across business units. and
Create a risk taxonomy followed across the organization.
C-Suite leadership may ignore talk about a CVSS score, which measures the severity of a vulnerability; however, they will certainly listen when you paint a picture of how that vulnerability, along with the likelihood of it being exploited, can lead to a material impact on the company’s financials and reputation.
Presenting cybersecurity risks in such a manner allows the risks to be more readily acknowledged and evaluated alongside other organizational risks that the C-Suite more easily understands.
In the upcoming weeks, I will discuss HOW to do this as I evaluate each of the five COSO Performance principles:
Identifies Risk
Assesses Severity of Risk
Prioritizes Risk
Implements Risk Responses
Develops Portfolio View
In my next video, I will discuss the first principle - Identifies Risk.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.
Have a great week!