And how to deliver bad news to the board when risk tolerance is in the red
Today, we launch the SAFE Cyber Risk Podcast, “a deep dive into the ever-evolving world of cyber risk management.” says host Saket Bajoria (SB), our Chief Product Officer. In the coming weeks, we’ll bring you “thought leaders, innovators, and practitioners who shape the landscape of cyber risk management.”
Watch the Cyber Risk Podcast now!
As SB says, “We need a paradigm shift in how we think of cybersecurity and cyber risk” – and it starts here.
Our first guest is David Reilly, former CTO and CIO of Bank of America, a valued mentor to the Safe team who helps us shape the company and the product.
Watch Saket’s podcast conversation with David now and see some of his key insights below.
Key Insights from Saket Bajoria’s Podcast with David Reilly
Cyber risk is business risk
David says cyber risk managers have made great progress in elevating cyber risk to the level of other disciplines in enterprise risk management, such as credit or market risk. But there’s still a way to go before chief compliance officers, chief risk officers, and chief auditors view cyber risk as equal to other risks in ERM.
Take a holistic approach to cyber risk management
David urges cyber risk teams to take a higher profile within the organization, looking at their roles and services more holistically, meeting other risk management teams where they are with services that fit their needs, with a goal of “positioning cyber risk across our businesses.”
Quantify risk – but make it accessible with BLUF
David preaches BLUF “Bottom Line Up Front” in communicating on cyber risk quantitatively: Get to your stakeholders’ top concerns “in the shortest possible time.” Be prepared to answer, “Are we exposed?” “To what degree?” “What are we doing about it?” “How long will it take to get back within our risk tolerance?” along with your quantitative charts and spreadsheets. Resist your inner nerd and don’t jump down into the technical details of cybersecurity. And don’t “sell past the close” when you see you’ve persuaded your listeners.
How to deliver bad news to the board
One of the most insightful – and surprising – topics of discussion covered reporting on cyber risk to the board (David serves as director on many). What if, SB asked, a CISO has established a target level of risk tolerance and then “three months and millions of dollars later we are doing worse than last quarter.”
“The best advice I could give is that your board is almost certainly way more receptive to that news than you might think,” David said. “To a board member, that isn’t bad news or good news, it’s just news, and that’s what they need.”
He explained that boards are looking for transparency but “to give transparency, consistency is the key” to show that over time you are measurably and defensibly enacting a plan. “The only thing we all know, and this is true for your board members too, is that the best-laid plans need to adjust because things are dynamic.”
2025 will be the year of AI and automation. As businesses leverage these technologies to grow revenue, better serve clients, and improve time-to-market, David foresees that the most significant challenge will be adopting new technologies in a way that keeps them ahead of their adversaries. David is enthusiastic about how businesses will leverage AI to manage enterprise cyber risks proactively and consistently.
To learn how Safe’s AI-led cyber risk management platform can empower you to stay ahead of enterprise and third-party cyber risks, schedule a demo with our cyber experts.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
