The Risk Reporting Dilemma: Balancing Transparency & Accountability

7 minute read

May 2023

by cybergrx

No one likes to be the bearer of bad news, but even though it’s a tough job, someone has to report risk to stakeholders. Reporting risk paves the way for good—perhaps the best—news: You now have the necessary information to avoid costly breaches. Still, the risk reporting dynamic is a challenge for many security teams.

Lee Painter, CISSP, Global Head of Information Security Governance, Zurich Insurance Co, Ltd., and Peter Finter, CMO at CyberGRX, dug into the delicate issue of how to best discuss risk with stakeholders. The conversation surfaced some valuable tactics and important considerations around the how, when, and why of risk reporting. Listen in to the discussion now:

Inform and Educate—Carefully

There are two words that should be in every risk professional’s vocabulary: “educate” and “inform.” 

Instead of merely outlining risks, it’s essential to put stakeholders in a position to take action based on your reports. This involves understanding the risks that hold the most weight for them individually instead of the organization in general.

Lee Painter explains that you must present the most ”valued portion of the information” from the stakeholder’s perspective. For example, a board of directors might request a 15-page report but are most concerned about the executive summary– the other pages demonstrate the thoroughness of your risk review. In contrast, sharing that same report with the engineering team, they only want the details, as they’re interested in knowing what they need to do to change their processes and what that entails. “It comes down to understanding your audience and what is the best way to influence them,” says Painter. In this way, you highlight “what is the value” to the stakeholder instead of focusing on “what is the cause.” By taking this approach, you’re explaining risk to them “at their level” because your information directly relates to their day-to-day jobs.

Understanding the Difference Between Managing and Elevating Risk

Security teams can make risk reporting easier with a slight mindset shift in the objective. When reporting on risk, the role of security personnel is less about managing risk and more about elevating it in the consciousness of stakeholders.

As Lee Painter said, “People think it’s their job to manage risk. We don’t manage risk in the IT discipline. We elevate risk. We show risk. We identify risk. We educate the business stakeholders so they can make smart risk-based decisions. Almost every organization is driven by dollars,” Painter said, “and if you help stakeholders understand how to quantify risk and what the impact is, then you’ve done your job.”

At the end of the day, if stakeholders understand the consequences of that risk and decide to accept it, you now know what you need to put into place to insulate and protect the organization from that risk.

Clearly Defining Accountability

Accountability is a particularly sticky point in the risk elevation dynamic. As Peter Finter explains, it’s about “protecting yourself with respect to the third party but also understanding how much responsibility should be owned internally.”

Painter added that assigning accountability begins with performing forensics after an attack. Then, once you have an accurate account of what happened, it’s relatively easy to figure out who’s accountable. Isolating the cause is better than pointing fingers at an entire IT, security, or department, such as the dev team.

Painter illustrated his point with this example:

“We had an organization that was taking paper documents from us, scanning them, and returning them. We had a short contract with them, and at the conclusion of our agreement, they assured us they had deleted our information. In fact, we have in writing that they had deleted our data as per the contract. But, they had a breach two weeks ago, and they notified us that our data was stolen– our data that they said was deleted.”

In such a case, accountability falls firmly on the vendor who assured that the data had been deleted; this incident resulted from a false statement that had been made versus something that was missed in the vendor evaluation process. However, regardless of where the accountability falls, it never hurts to ask after an incident: What will they do differently next time? What do I need to do differently? Should I look for a different vendor? Conducting a post-incident review of how to improve helps protect your organization from the next incident.

Establishing Internal Accountability

Figuring out who’s accountable internally is important and time-sensitive, especially when informing the public about what happened. Painter follows the old truism: “You always get in more trouble for the cover-up than the crime.” Given this, it’s in the company’s best interests to establish internal accountability early in the post-attack lifecycle, then be transparent regarding what precipitated the attack.

But it’s not enough to figure out who messed up. If you’ve experienced a breach or an incident resulting from an employee’s gross negligence, an organization needs to stop and measure what happened. One of the most straightforward ways to do this is to follow the training trail.

This means asking, “OK, so-and-so made a mistake, but who was responsible for training them?” Once this person or department has been identified, you’ve taken the first step towards creating a systemic breach prevention process.

“Let’s say someone left an S3 bucket open,” Painter explained. An S3 bucket is a public cloud storage container, similar to a file folder on a computer. “So somebody left that S3 bucket up. Who trained that person? Maybe no one trained them, so they didn’t know they weren’t supposed to do that. We have to identify where the hole in the process happened and then address that hole.”

If, in this example, the CISO was supposed to train the individual regarding what to do and not do, then the CISO dropped the ball, and the responsibility would fall on their shoulders.

Creating an Effective Governance System by Collaborating with Stakeholders

So who owns risk and the responsibility for that risk? 

Per Painter, it starts with clear policies and procedures, plus good governance and follow-up. What does “good governance” mean? Governance is not about creating a new process that inspects another process– governance is about fixing your established procedures. In other words, identify where the problem lies and resolve it versus creating a new process to cover up the real issue. “Too many people go after the symptom and not the problem,” said Painter. “Take, for example, cloud container management. Vulnerabilities emerge often and consistently, but you can’t patch Kubernetes containers. Instead, you have a process– you update them every 10 days, and if you see someone with a 12-day-old version, you fix the process, not go after the vulnerability.” Focus on what the problem is– the same principle applies to vendor risk management.

Your governance system should also involve embedding the security team across the business. The famous Kennedy question is a perfect example. When Kennedy visited the space center before America’s first moon landing, he asked a janitor, “What is your job here?” and the man replied, “I’m putting a man on the moon.”

Everyone in an organization should have the same mission: protecting your organization from a breach. By ingraining security with the rest of the company’s ecosystem, risk reporting is easier, and you can also begin to identify areas where you can have more influence. 

Reporting Risk Metrics

What metrics do you report on to help stakeholders understand the impact of risk? 

Painter agreed with several of the responses in our audience poll, specifically portfolio size, number of critical third parties, number of assessed third parties, and usual activity or your “watch” list. Here’s how our live webcast audience responded, with (surprisingly) almost 20% revealing they do not report on any specific risk metrics:

Painter also discusses with stakeholders which vendors are meeting the company’s requirements and which are below. He’ll point out the deficiencies, then set up thresholds that should be “cleaned up,” and create a feedback mechanism that stakeholders can communicate when a control gap doesn’t apply to a specific business unit. This approach also helps actively manage third-party risk, which is necessary to comply with several regulatory requirements.

The Value of Transparency

As you collaborate with stakeholders, it’s important to be open and transparent, both as a communicator and listener. “Be transparent with what you’re trying to accomplish, with the ‘why’ and ‘how.’ Listen to your stakeholder. Listen to their challenges because even if you end up not agreeing, as long as they feel heard (and they’ve heard your message) often, you can overcome other challenges,” Painter said. “It’s all about being approachable and being a good teammate.” 

Lee Painter and Zurich Insurance use CyberGRX to help identify, analyze, and monitor their third-party risk. We invite you to book a demo with our team to learn how you can do the same.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.