Breach, Compliance Management, Critical Infrastructure Security, Data Security, Privacy

Cyber needs to speak language of the C-suite

Communicating with the C-suite depends in part of creating a language they understand and identifying company assets that are most important, Chris Henry, principal consultant and virtual innovation officer at Dare Innovative, told an audience at SC Congress Toronto 2016 Wednesday.

“List assets out and [determine] which ones if they went away that would be a bad day” when deciding what to protect, Henry said. “And, ask how long can they go away for.”

That's the strategy at Toronto Hydro-Electric System, which, Robert Wong, chief information and risk officer, said has a “well-defined risk appetite statement” that clarifies just how much the company is willing to lose. “We have a threshold of how much we're willing to accept.”

Because the “C-suite is all about accountability,” Wong said his team “appeals to each of our executives who have ownership and accountability.”

The board, he said, requires “a different conversation” since it provides fiduciary oversight but no operational input. “They are noses in, fingers out,” he said.

Boards often don't have the expertise to address technology questions, said David Foote, chief analyst at Foote Partners. They're typically populated by “very powerful, respected” members, “people who have trouble asking stupid questions.”

But with a couple of technical people on deck, the board can obtain the insight it needs to answer a set of very important questions that Foote said include how technology will change the face of competition in a company's industry, what it would take “to exceed customer expectations in a digitally connected world” and who's accountable as well as how they're being held accountable.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.