This article will answer the following questions:
- What is the best way to communicate about risk?
- Who should own risk in a company?
- Should every department have a designated risk owner?
- How do I translate risk to align with our company’s values?
- What is the best way to measure our company’s risk appetite?
- How can numbers help to get the perception of risk right?
Risk Part II: Risk Communication
Securing a budget is one of the most important goals for the cybersecurity manager, but the numbers will be meaningless if the company doesn’t understand the risks the cybersecurity plan seeks to mitigate. Almost anything the cybersecurity manager wants to get done requires them to demonstrate an authentic risk. If the cybersecurity manager can demonstrate the existence of real vulnerabilities within the organisation, that will motivate leaders to take action.
Talking to People About Risk
It’s not just about the numbers, though. Risk management is actually the fine art of giving people difficult feedback but doing it gently and professionally without causing alarm. Here’s an analogy: if you are a doctor, it’s unprofessional and callous to tell the patient bluntly, “You have a deadly disease, and you might not survive it, but it could be curable.” An effective physician will explain the situation honestly but gently, with a touch of optimism. He might say, “You have one mole that concerns me on your left shoulder. It seems to be limited in size, so the probability that we can get rid of it is fairly high. I’m not making promises, but you have a good chance of a complete recovery.”
Similarly, the cybersecurity manager can’t just tell the CEO, “Your company is in trouble.” The CEO will immediately start thinking about the worst-case scenario. A panic-based response is seldom helpful. As with the doctor and patient, it is much better to explain the risks while providing possibilities for resolution. This is the best framework to use when discussing risk with senior management.
In most companies, some people understand risk management and others don’t. In some, nobody knows anything about it. Even if they talk about “risk management,” they might mean something else, like threat or danger. If they don’t own the concept of risk, they probably won’t take action to mitigate risks.
For example, we recently learned about a company that was hacked, and their passwords were stolen. We reached out to the company to ask if they wanted to buy an assessment to find out what else had been stolen and how to remedy the situation. They agreed that was extremely important, so we thought we were moving forward.
Not so. They said that they were not going to hire us or anyone else. Of course that’s ridiculous because the passwords were out there. The risk was real; someone was robbing the company right then. But since no one owned the risk, nobody did anything.
Who should own risk? Not the people you might expect, like the risk manager, security manager, or fraud expert. Instead, the risk owner is someone who can assign a budget to address it. If they can’t assign a budget to make sure the problem is fixed, they cannot be an owner. The owner of a risk is never someone without a budget and authority.
cybersecurity managers should know who is responsible for every risk. The owner should be able to choose what they’re going to do with the risk, the measures they will take, and how they’re going to pay for it. Because risk is always tied to an operation, it is closely connected to profit and opportunity. Risk and opportunity go together. If you ask who owns an opportunity, you’ll usually find the owner of the associated risk.
Finding the Owners of Risk
Someone needs to be in charge of risk management at all levels and in each department. This isn’t to say that all businesses should have a separate risk management role, but someone in each department should take responsibility and ownership of certain risks and levels of the organisation.
In HR, somebody has to be responsible for HR risks. That’s mandated by law in many countries. Supervisors can be owners. In Singapore, for instance, construction supervisors must make sure every employee wears a helmet and boots, even if they’re just drawing maps on the construction site. If somebody were injured at the construction site because the supervisor didn’t enforce the regulations, he could be arrested or fined.
Similarly, in the IT department, the CIO, who assigns duties and tasks to the people who manage malware or ransomware risks, must acknowledge that IT risks are in their domain. This is something the cybersecurity manager has to be aware of too. It also helps if the CEO is aware that risks are part of the business and need to be managed.
cybersecurity managers need to map all the risks in a language that management understands, or nothing will happen. The cybersecurity manager should gauge the audience to find out the right way to talk with them.
There is no right formula for communicating risk because each company is interested in different things. They might be focused on values, public image, profit, or employee morale. Inexperienced cybersecurity managers sometimes try scare tactics. They say things like, “There’s an unknown risk and you can never be prepared enough, so you should buy more stuff.” That’s too vague and unquantifiable to work. The cybersecurity manager should emphasise the company’s specific interests. For instance, many companies only care about profit, so for them, it helps to quantify the risks in terms of potential lost profit. Other companies that are protective of their reputation will listen carefully if the cybersecurity manager mentions a reputation risk. Each company is different, and a company’s values can change even during one year, so the cybersecurity manager needs to stay on top of this.
One of the soft skills used in risk communication is to keep it impersonal. That way the people who are responsible for the risks don’t feel like they’re being blamed for them. Risk managers become skilled at discussing risks without making anyone feel personally responsible. Risk management would never say to an IT professional, “You should do a better job with downtime. Twice a year, we have unexpected downtime and a communications break and nothing’s working. It’s your job to keep everything online, and you failed to do so. The cost of your mistake to the company is $200,000.” Placing blame like that would make it very personal and would lead to bad feelings and low morale, and soon, nobody would report risks because they know they will be stabbed in the back. The way to communicate these issues, without making it sound like a personal attack, is to talk about the objectified risk and not the person.
The cybersecurity manager also needs to assess management’s risk appetite. Risk appetite measures how much risk a company is willing to tolerate and what is an acceptable level of risk for them. Professionally led companies traditionally have a bit more risk appetite, while small, family-led firms especially, tend to be risk averse, but it’s hard to predict and depends a great deal on the tone of the owners and the board. Defining risk appetite requires a high-level decision in the company; the decision has to be ratified by the board or at least by senior management. The board must take the lead in risk management, and then those decisions must be executed by management. Only then does risk management actually implement it.
We talk a lot about quantifying risks, but some risk management decisions are definitely made on an emotional basis. People sense danger or feel threatened. Those reactions are important but difficult to measure. Which risk is bigger: your daughter crossing a busy street or an airplane jet crashing to the ground with your manager on board? On an emotional level, it’s definitely your daughter. On a statistical level, maybe not. That’s how emotions can get in the way of analytical decision-making.
People make emotional decisions and are notoriously bad at quantifying risk. For example, some people develop irrational fears of a shark attack or a plane crash when the probability of either happening is extremely low. Even if they know something about impacts, most people don’t understand probabilities. They tend to worry about risks with a minute chance of happening and disregard risks with a high likelihood.
The same goes for managers and owners who assess risks in their business. They might be very professional in their primary job function, but they are usually ineffective at assessing risk probability. We’ve heard many managers say, “Communication breakdown rarely happens to us and doesn’t have much effect.” That’s almost never true; if we do the math on the probability, it’s actually a big risk.