“Breaking down complex data to simple risk statements.”
“Lack of integration between systems.”
“Lack of everyone having a wide perspective.”
“Understanding the language.”
“Line of sight to business context.”
Those are some of the answers we received from IT risk professionals in the Canadian banking sector at a conference last week when we asked the question: “What are your biggest obstacles to understanding risk?”
The responses resonate with many industry surveys, analyst research and discussions that we’ve been having with customers over the past few months. Boards and senior executives are more engaged than ever in IT and technology risk, but they aren’t confident in the information they’re receiving.
The event last week in Toronto included a panel discussion with CISOs from six Canadian banks. They were asked how conversations with senior leaders have changed in the past 12 to 18 months.
Some of their comments:
- Leadership is very focused on technology, but they struggle to put IT risk in a business context. “We need to attribute and aggregate risk data to give a common discussion around risk. We need to give a tangible sense of the revenue and the cost to the business if it’s impacted, rather than just telling executives the number of high-risk areas.”
- One CISO recounted his experience recently at an event with a group of CFOs and CISOs. The CFOs said ‘we have no idea what you people are talking about’.
- There’s a fundamental shift happening: boards are educating themselves and they want to understand cybersecurity. “They have a sense of personal accountability,” said one of the panelists.
- Panelists called for transparency and clarity. “Speak at an executive level. Describe the program in ways that are common english; you can’t just come as technicians.”
- “We are peers at the business table. Threats have galvanized our role and importance.”
- “Organizations are too siloed; we need to break down the silos.” There is a need to meet more often and share information, both within and between organizations). “We’re all fighting the same bad guy.”
What about your organization? How confident are your executives and board in the IT/technology/cyber risk information they receive? What are the obstacles you encounter to understanding risk? Share your comments below or email us at firstname.lastname@example.org.