Selling risk management to the C-suite

Chris Roberts

How do you explain the risk surrounding something that hasn’t happened yet? How do you speak “the language of the c-suite” in order to set up risk management measures in the enterprise?

Those are a couple of questions we put toward Chris Roberts in this Q&A. Roberts is a security advisor and former hacker who is currently serving as a vCISO for a number of entities and organizations around the globe. His most recent projects are focused within the threat intelligence, identity, cryptography, Artificial Intelligence, and services space.

Give us a quick introduction of your exploits in IT security.

Roberts: I’ve been creeping around this industry as a tech and as a hacker for more years than I can think of, although I don’t go quite back to early punch card mainframes. The first system I ever messed around with was a ZX80 with a whole 4K of memory. The first systems that were ever confiscated were like a Commodore 64 And one of the Atari systems. So, yeah, long way back.

Talk about risk management. Human beings are not necessarily good at that, are they?

Roberts: No. If they were, they wouldn’t get out of bed in the morning. There are so many things, that if we just thought about it for more than the five seconds before we do it, we absolutely wouldn’t do it. In the human world, consequences are immediate. It’s a pretty short feedback loop. But in the digital world, we don’t have that that feedback loop, at least at the moment. The repercussions often take an extended amount of time and then you have a very different way of dealing with them.

That makes selling the idea of risk management to the C-suite even harder.

Roberts: Yes, but there’s also a silo mentality inhibiting in communication. We have technical backgrounds, which don’t lend themselves very well to a more strategic conversation or a more long-term business conversation. We blame the CFO for not listening to us and not giving us money.

How do you how do you get the C suite to develop situational awareness?

Roberts: It takes understanding where they’re coming from and what their perspective is, and knowing how they’re incented. IT has to be able to disseminate information to the user population. We have to be able to take it to middle management and then take it to leadership. Management is thinking, ‘I’m paying you a quarter of a million dollars a year to solve problems. You better be able to understand it and you better be able to help me understand that–in 30 seconds because I’ve got 20 other meetings I’m doing today.’

You have to understand the CEO’s standpoint.

Roberts: The CEO has to balance financial risk, third-party risk, marketing risk, and manufacturing risk—for the CEO, tech, in theory, is just the enabler. That’s been the mentality and the essence. Our job is to say ‘Hey, I can do that. Here’s what’s going on. Here are the risks.’ But we haven’t spoken their language. We haven’t gone in with a CFO to talk about risk or the Legal Chief to talk about compliance. The CEO is thinking, ‘I’m paying you so much money. Go figure this out.’

And it’s a lot to ‘figure out.’

Roberts: Some of our data is in the cloud. And some of it isn’t. I don’t know a single company that knows where all of its assets are. There’s not one CIO of a decent sized or half decent-sized organization that can put his hand on his heart and say he knows where all of the assets are. For example, this is my personal phone, but hang on, I use company email on it. And my fridge is hooked up to the system. Where’s the line?

What is one way to try to communicate the importance of risk management?

Roberts: I use a car analogy. Let’s say you and I want to meet for a drink one day. One of us is going to have to drive to the other one. There is some risk there. I can mitigate that risk by getting in a car that has ABS or by getting in a car that’s got good tires, has a tire pressure monitoring system, and airbags. It’s the same thing in our industry. We put risk controls in place.

It’s the same thing with digital security. We have to work together. We have to share data and we have to do business together. But that doesn’t mean I go into it headlong and hope for the best. We encrypt data, we make sure our antivirus is in good shape, we run heuristics, etc. We help each other by lowering risk. Cyber risk is never going to go away, which is why we have other things that keep an eye on stuff for us, but at least we can bring that risk level down.