Aware But Not Prepared

Boards and Executives are aware of cyber risk, but don’t know what to do about it.

Senior business leaders—from the board of directors, across the c-suite, and down to the managerial ranks—are tasked with a myriad of responsibilities that ultimately make their companies and organizations successfully function. In an age where cyber risk has become omnipresent, yet somehow still blindsides senior business leaders, how can information security professionals and risk analysts ensure their warning signs are seen and heeded by leadership?

Unfortunately, most senior business leaders are not proficient when it comes to information security or data security/privacy issues — the core pillars of cyber risk. This leaves their businesses more vulnerable to lax oversight or misjudgment. In order to avoid all the proverbial potholes and effectively drive the organization down the road of success in an efficient yet resilient way, senior business leaders must first be properly trained on what cyber risk is, and how best to govern and manage it.

The problem, however, is that most executive-focused cyber risk training solutions are woefully insufficient. When senior business leaders seek out cyber training, they’ll generally choose to attend a conference. But executive conferences typically feature a couple cybersecurity headliners, rather than taking the time to thread the learning together in a way that is simplified and effective. While the conference organizers may succeed in improving attendance and delivering entertaining “war stories,” they oftentimes lack specific action items and due outs to help attendees manage cyber risk. Other executives may opt for a paid training program. But unfortunately many of these programs are flawed as they, again, lack thorough structure and rigor and have not been designed by learning scientists and industry experts.

Instead, senior business leaders should be seeking out cyber risk training that has all of the following aspects:

Utilizes a Structured Learning Approach

Successful training programs go through a rigorous process to understand the topic, identify learning objectives, and design the course in a way that best suits the learner’s needs. Cyber risk training programs should used a structured approach to help simplify the complexity of topic, and the content should also be scaffolded in a way that allows the executive quickly and easily build upon knowledge learned. CyberVista’s Resolve programs use our Cyber Risk Governance learning framework, which amalgamates cybersecurity frameworks (NIST CSF and ISO 27001) and Enterprise Risk Management frameworks in a simplified “Prepare, Monitor, & React” approach to learning.

Establishes a Foundation of Cyber Literacy

Good cyber risk training should enhance your cyber literacy. The cyber domain is complex which means senior business leaders need to understand a wide range of concepts on how cyber risk should be factored into their larger enterprise risk framework. Whether it’s understanding cyber threat actors, evaluating their cyber attack surface, or conducting proper cyber due diligence during M&A, CyberVista’s Resolve programs are designed to quickly enhance cyber literacy and ensure senior leaders absorb and apply the content moving forward. 

Incorporates a Quantifiable Risk Model

Contrary to popular belief, cyber risk is not an entirely nebulous concept. Impacts can be quantified. The key is adopting an effective framework for understanding, measuring, and analyzing cyber risks, such as Factor Analysis of Information Risk (FAIR). By using a quantitative model like FAIR, business executives can put a specific price on their cyber liabilities — converting complex forms of risk into dollars and cents — and manage them accordingly from the business perspective.

Uses a Common Lexicon to Improve Communications

Beyond enhancing your cyber literacy, successful cyber risk training will help your organization use a common language so that everyone in your organization from your Board of Directors to your entry-level employees clearly understand what is being said or described; it allows everyone to get on the same sheet of music. A structured cyber lexicon in your organization means improved communication when it comes to preventing cyber incidents and knowing what cyber risk means for your organization. 

Drives a Cultural Shift for the Enterprise

Ultimately, a successful cyber risk training program will result in a cultural shift for the entire enterprise; moving away from complacency and toward a heightened sense of potential risk scenarios, forms of loss, and prioritized controls. The initial push to drive this cultural change may stem from effective risk analysts and information security professionals, but in order to affect the entire enterprise, the culture must also be driven from the top down. Organizations need leaders who can lead by example. 

Where to Start

Endorsed by the FAIR Institute and adherent to the FAIR Standard, CyberVista Resolve’s Digital Risk program provides senior leadership with the knowledge necessary to understand, monitor, and manage cyber risk as well as help meet compliance requirements.  Need subscriptions for the entire board, committee, or leadership team? Contact resolve@cybervista.net for a corporate quote.

Post by Jeff Welgan

Executive Director and Head of Executive Training Programs at CyberVista

Leave a Reply

Your email address will not be published. Required fields are marked *