Denise Silon Louie, Director, Enterprise Risk And Information Governance, The J.M. Smucker Company
Aperennial challenge faced by security professionals involves mastering how to communicate the scope, complexity, and risks of a security program to senior executives in a way that informs without overwhelming them with technical jargon, to ensure appropriate resources are allocated. We’ve all heard the advice of communication professionals to “know your audience.” The same is true when communicating security risk.
Since formalizing our Enterprise Risk Management program, we have evolved our methods for reporting technology and security risk to both our c-suite leaders and board of directors, some of whom have prior professional experience with information technology. Our goal was to meet the needs of our audience with consistent, concise reporting tools, while adjusting the reports as our audience learned more about technology risk through educational sessions and as our security needs evolved.
Like many organizations, we focus on cybersecurity risk and deliberately use that terminology to describe the program. One could easily argue that the scope of a security program and that of a cybersecurity program are one and the same, but we realized that most of our audience would be confronted with headlines, conferences, and seminars that favor the “cyber” terminology, so we agreed to align our reporting with what our audience was already hearing.
We’ve created three relatively simple yet highly effective reporting tools that ground our audience on cybersecurity risk and the status of our management efforts. Those three tools are an ERM Scorecard, Cybersecurity Landscape, and Cybersecurity Scorecard. Two of these tools are highly visual –and almost infographic – in nature. We produce these reports on a quarterly or as needed basis, and in some cases we use them to onboard third-party consultants.
The first report is our ERM Scorecard, a standard two-page template we use to consistently document all enterprise risks.
We’ve all heard the advice of communication professionals to “know your audience.” The same is true when communicating security risk
It is updated quarterly and contains the following elements among others:
• Risk name, likelihood, impact, and trend, and appetite
• Relevant laws and regulations, if applicable
• Current and target program maturity
• Key people, processes, and technologies
• Program gaps, mitigation plans, and status
• Incidents, if any, including lessons learned from highly publicized incidents involving other companies
The first four bullets contain information that remains relatively static from one reporting period to the next, while the last two bullets more readily communicate updates that occurred since the last reporting period.
We recognize it is easy to overload the ERM Scorecard with content; however, its primary purpose is to serve as an executive summary, grounding our audience on how we define and benchmark a given risk.
As our reporting of cybersecurity and other risks matured, we developed and circulated additional key operating metrics that ultimately help us drive accountability and program maturity. The second of our reports is our Cybersecurity Landscape. This simple, highly visual one-page snapshot communicates to our audience the scope of our technical environment with the following facts and accompanying graphical icons plus others:
• Reporting date
• Number of locations and employees
• Number of servers
• Number of devices connecting to our environment
• Number of websites we operate
We expect to enhance this same document with details regarding the types and volume of sensitive data we handle along with the number of applications and repositories where this data resides relative to our entire application inventory.
Finally, as is our goal with any enterprise risk, we developed a scorecard using data that not only demonstrates our actual and target metrics, but whether we are hitting them consistently. Our Cybersecurity Scorecard is likewise a highly visual one-page document that details the following among other elements:
• Significant Cyber Incidents, if any
• Initial, current progress, and fourth quarter target maturity by each component of the cybersecurity framework we have adopted
• Security Risk Assessment, which further breaks down the status of each component of the cybersecurity framework with red-yellow-green indicators and the following:
o Risk drivers
o Three key metrics with current and target status and redyellow-green indicators
o Key planned actions
Given the sensitivity of content shared in these documents, we take appropriate steps to secure the distribution, transmission, and storage of this content.
Since our reports cover the fundamentals, our cybersecurity team can focus meeting time and conversations with decision makers on critical matters, which has, in turn, improved our risk management speed and agility, ever important in today’s technical and business climate.