On the other hand, risk tolerance should be a guided conversation about a specific objective or risk situation, where the CISO can develop a perspective. “If you can be clear, if you can explain it well, you can have a good conversation to get everyone on the same page about what that risk is and what you need to do about it.”
The recommendation is that CISOs consider the potential organizational ramifications and wider public outrage of the incident and avoid trying to get board members to provide guidance on technical details. “Unless they’re a technology board member, they look to us as CISOs to really understand that and manage that,” Goerlich said.
Risk discussion
To lead the risk conversation and work toward alignment, CISOs need to measure cyber risk and develop mature risk reporting processes, according to Mary Carmichael, director of strategy, risk, and compliance consulting for Momentum Technology. Carmichael, a member of ISACA’s CROSC certification committee, which is at the forefront of developing risk frameworks, says that using data from industry sources such as IBM’s cost of data breach report helps to understand the likelihood and potential impact of cyber risks. “This is important in sectors such as healthcare and education, which are often underinvested in cyber security.”
Source link