Request Demo

It is the greatest challenge for a technically minded leader like a CISO to be able to map the information security risks that they know face the enterprise to the business outcomes such that business-side leaders can understand them. Dating back to the origin of the position, CISO’s have been charged with bridging the gap between cyber risk and business outcomes and key risk indicators are their secret weapon.

Key Risk Indicators

Key risk indicators (KRIs) are the tactical application of a risk appetite statement. For cyber risk managers, CISO’s among them, that manage cyber risks, cybersecurity key risk indicators are the listing of the benefit and the risks associated with that strategy.

 These KRIs are the marriage of the desired outcome that comes from the C-suite and the technical knowledge that comes from the security professionals that have been embedded in this practice for years and delivers value to both sides.

KRI's

Practically Applying Your Risk Appetite Statement

In order to effectively operationalize your risk quantification practices, the enterprise leadership must be able to understand and map those cyber risk metrics to the outcomes that they’re looking to achieve (otherwise why accept the risk). For technical leaders like a CISO, having the processes in place to facilitate the delivery of that risk data in such a way that its understandable to business leaders is critical - C-suite members and the board need key performance and risk indicators in the digital age and it is often the breakdown of communication that stops them from getting it.

Taking the high-level strategy of an organization’s risk appetite statement and breaking it down into KRI’s empowers risk managers to understand and feed the critical metrics back up to senior management.

KRI’s Give The CEO Room To Understand Cyber

With data breaches capturing headlines weekly, CEO’s are growing more and more concerned with the states of their cyber posture. However, this is a whole new classification of risk for CEO’s and BoD’s that leaves them searching for answers in ways that will fit into their current methodologies of managing existing and potential risk. With cyber-focused KRI’s that are constructed by the CISO in tandem with the strategy put out by the CEO, this helps the CEO understand the risks associated with the strategy - and either accept or reject that level of risk.

Using KRI’s as a means to empower both business leaders and security teams with an understanding of the other party allows both to work more closely and further integrate cybersecurity risk management into the executive leadership conversation.



You may also like

Integrated Risk Management ...
on October 21, 2019

Integrated risk management (IRM) marks a shift in the way organizations approach cybersecurity, privacy, and risk. It is a commitment to forgoing the siloed practices that defined ...

The NIST Cybersecurity Framework ...
on October 17, 2019

The National Institute of Standards and Technology (NIST) Cybersecurity Framework Implementation Tiers are one of the three main elements of the Framework - the Framework Core, ...

Understanding the NIST CSF ...
on October 16, 2019

The National Institute of Standards and Technology (NIST) Cybersecurity Framework has been touted as a gold-standard framework for managing cybersecurity risk. The NIST CSF is ...

What Are the Benefits of the NIST ...
on October 10, 2019

The risks that come with cybersecurity can be overwhelming to many organizations. Building out a robust cybersecurity program is often complicated and difficult to conceptualize ...

Your NIST Cybersecurity Framework ...
on October 9, 2019

The National Institute of Standards and Technology developed the Framework for Improving Critical Infrastructure Cybersecurity, later dubbed the NIST Cybersecurity Framework ...

What is the CCPA and Who Must ...
on August 30, 2019

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's ...

Alison Furneaux