Understanding Cyber Risk Metrics and Reporting

Cybermetrics
Author: ISACA
Date Published: 25 August 2021

Cyber risk is top of mind for organizations around the world, but effectively addressing that risk and reporting on it to enterprise leaders require a nuanced approach based on organizations’ risk appetite and strategic aims.

In the “Cyber Risk Metrics and Reporting Automation” session at the recent 2021 Governance, Risk and Control (GRC) conference – put on by The IIA and ISACA – session presenter Priya Mouli emphasized the importance of a strategic and intentional approach to reporting on cyber risk. The stakes are high, said Priya, noting that a recent emphasis on attacking critical infrastructure and supply chains makes addressing cyber risk increasingly important for enterprises today.

Priya said too many organizations still consider technology risk management to be a compliance function when the scope should be wider and designed to further the organization’s strategic objectives. That can be tricky, though, given all the variables and stakeholders involved.

“We generally want cyber risk thresholds to be in line with the organization’s risk appetite,” Priya said. “As practitioners, we know how challenging it is to translate a high-level qualitative risk appetite statement into quantitative thresholds at the domain area, and risk and metric levels.”

Key risk indicators (KRIs) with thresholds and corresponding trigger actions can enable companies to gain visibility into risks before they occur. Those are the types of metrics that best position enterprises to deal with the substantial cyber risks that come with digital transformation and implementing emerging technologies.

“When you say risk metrics, it’s not really the volume, but it’s the relevancy – how current the metrics are and how relevant they are to your organizational business context that matters,” Priya said. “Metrics work best when they’re aligned to a key risk and serve as an effective measure of that risk.”

Common challenges to putting solid KRIs in place include accounting for risks that are not easily seen, KRIs that are not viewed holistically, dealing with risks that emerge from newer functions and – in many cases – poor data quality. A smaller set of metrics is generally easier to maintain and monitor.

Simply having sound metrics in place, though, only goes part-way. Boards of directors and executive leaders need to be aware of critical cyber risks on an ongoing basis. Effective risk reporting is a key step toward enterprise-wide risk governance and is necessary for enterprise leaders to make informed decisions in line with business objectives, Priya said. Key considerations for risk reporting include being:

  • Comprehensive
  • Relevant
  • Timely
  • Advanced and aspirational
  • Action-oriented
  • A good mix of qualitative and quantitative data
  • Automated

To make risk reports more effective, Priya recommends establishing clear standards, creating customized dashboards tailored to the audience and providing qualitative insights.

She added that practitioners sometimes have the tendency to overengineer technology aspects of risk management and should instead focus on the basics, such as having a uniform understanding of risk appetite, risk and controls taxonomy and risk language across the organization.

“With respect to the different repositories and tools that you use for risks and controls, you want to make sure that they are all telling the same story, and for that you need to make sure you have a connected ecosystem,” Priya said.

About Priya Mouli: Priya has over 14 years of seasoned experience supporting global organizations with their IT Risk Strategy spanning the areas of Cyber Security, Privacy and Regulatory Compliance. She holds an MBA, is a CISSP, CDPSE and has been a Director with two of the Big 4 firms aligned to Technology Risk Consulting, where she helps build and operationalize Tech Risk programs and focuses on process improvement and automation opportunities. Priya has authored thought leadership publications featured globally and by multiple press agencies. She is deeply passionate about Information Security and Women Empowerment / Leadership and has spoken at multiple conferences, sharing industry insights, perspective and spreading awareness on these topics.

Editor’s note: For more cyber risk resources, learn about the CMMI Cybermaturity Platform.