Enterprise Risk Management, Cybersecurity Oversight and Cyber Risk's Future, with James Lam

At the recent 2018 FAIR Conference, James Lam, the enterprise risk management and corporate governance authority and chairman of the risk committee for the E*TRADE board of directors, gave a master class on where cyber risk has been, where it’s going as part of ERM—and what board members want to hear right now from CISOs about cyber risk.

Watch this video of his FAIRCON Day Two Keynote speech to lift your perspective on the risk profession to a higher, board-level view.

Among the points James covers:

To understand the future of cybersecurity risk management look to the past of other risk disciplines. Financial risk, market risk, credit risk, strategic risk managers all once held the belief that risk couldn’t be effectively measured – still a common view in cyber. James explains how they solved the problem and how cyber risk management will too.

Risk management is about optimizing a bell curve. A curve with downside risk on one side, upside risk on the other and expected performance in the middle. Typically, cybersecurity professionals think of the downside only when really, they should be balancing all sides – James walks you through this concept with charts.

Cybersecurity risk must be managed as part of enterprise risk. That’s how the board wants to understand cyber risk and that has some important implications: Cyber needs to have a price on it so it can be compared to other risks the enterprise faces and be priced into products and services. And inforisk can’t be managed in a silo when it really affects and is affected by other types of risk.

“We need to shift our branding from just loss identification and minimization to how do we add value, how do we grow the business.” Most cybersecurity professionals start their thinking “from the threat environment and how they can enhance the security environment…Instead, think about what are the key decisions we need to make on security investments, cyber insurance, etc. then work backwards to ask how do we make better investments.”

Among many other topics, James also discusses

The cybersecurity metrics that boards do want to hear (hint: not including NIST CSF maturity reports)
How enterprise risk management is moving from quarterly to continuous reporting mode (and cyber risk reporting should too)
How FAIR and risk quantification are critical to the forward path of infosecurity risk management
James ends with this thought about the future: “I’d like for us to go from cybersecurity to cyber risk to cyber value." And he explains how Bruce Lee will show us the way (you'll have to watch the video for that one).