CIOReview
CIOREVIEW >> Enterprise Risk Management >>

No Software Patch to fix Communication Bugs and Flaws between CIOs and Boards

Scott T. Mathis, CISO, RBC Bank US
Scott T. Mathis, CISO, RBC Bank US

Scott T. Mathis, CISO, RBC Bank US

The trouble with CIO’s isn’t that too many get a great respected seat at the board table. The trouble, rather, is that too few understand that boards are populated by directors with backgrounds in finance and operations rather than technology or other areas of the company’s core business. The unblinkable fact is that this is increasingly frustrating for most CIOs with strong technology backgrounds. To add to this frustration, there is no software patch to fix communication bugs and flaws in humans when it comes to simple, clear and understandable dialogue between the CIO and the board.

Happily, there is a ready-made and audit tested solution. It is called a Financial Report (Form 10-K, more about this later) filed with the Securities and Exchange Commission (SEC). CIO’s will be surprised how effectively this report can help decrease that communications gap, which sometimes seems as big as the Grand Canyon, between the two groups of executives and the board.

Nevertheless, by solving this communication gap, CIO’s will inadvertently solve the number one and two Root Cause Analysis (RCA) problems plaguing their careers: 1. Seats at the table with board members and other executive management, and 2. Insufficient budgets to fix RCA threats and vulnerabilities that prevent your technology systems from offering zero or low revenue loss to financially critical revenue streams and zero or low down time for operationally critical business processes.

Understanding, leveraging and incorporating the Form 10-K (the standard tool of the board) supplementary data into your reports and communications will be a huge favorable improvement to fix the bugs, flaws and divides in dialogue between CIOs and the board. And for the love of Cloud Services, stop using ‘Shyriiwook’ Galactic Basic Wookie technical language only understood and used by the likes of your IT Team, Han Solo and Chewbaccain (Star Wars) when you communicate with them. What to do? Start using standard simple and clear human financial language that emphasizes threat event probability with financial and operational impact to material business initiatives and revenue streams. What not to do? Continue amplifying all that technical mumbo jumbo which is the hair of the dog that bit you.

  The Form 10-K provides just about everything you'd want or need to know about a company's financial statements, core operations and business models, core business processes and mission critical revenue streams  

This favorable improvement in dialogue does not require Luke Skywalker ‘Jedi Mind Tricks’ leveraging bleeding edge Big Data, Machine Learning, AI, IoT, Botnets, yada-yada-yada for a Board to obtain understanding. It requires only the time tested, good old fashion financial report filed with SEC. As mentioned above, these financial reports are called Form 10- K’s (filed annually), Form 10-Q’s (filed quarterly) and many other types of forms. Just FYI to techies, this is not the glossy Annual Report provided to shareholders. The Form 10-K Financial Report almost always has more detail and filed at https://www.sec.gov/edgar/searchedgar/companysearch.html.

The most important report for you, by far, is the annual Form 10-K. The Form 10-K provides just about everything you'd want or need to know about a company's financial statements, core operations and business models, core business processes and mission critical revenue streams. To give some measure of reliability to the information, they're audited by an approved accounting firm.

The Form 10-K is indexed so that it's easy to consistently find the same information about multiple companies in the same basic place in any 10-K.

Let’s take a closer look at the Form 10-K sections important to you. Identify what can be glean from it and determine how it can be used for core Information Security Risk reporting to the Board. The most important areas of focus to Map Business Initiatives and Processes to Cybersecurity Risks and Data Driven Cyber Threats and Vulnerabilities are in section

Part II: Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations and Item 8. Financial Statements and Supplementary Data. 

Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations –check here to seethe company’s perspective on business results of the past financial year. This section, known as the MD&A for short, allows company management to tell its story in its own words. The MD&A presents:

The company’s operations and financial results, including information about the company’s liquidity and capital resources and any known trends or uncertainties that could materially affect the company’s results. This section may also discuss management’s views of key strategic business risks and what it is doing to address them. Companies will discuss how they manage current revenue streams, generate new revenue streams, margins of core revenue streams, performance of business segments in national and international markets or trends in business models or initiatives. Focus on the tables and supporting information that represent company revenues, by segment and revenue source. Now you can risk rank and map your top ten local threats (see Table 1.0) to strategic product or service revenue streams. This will amplify one of your needed keys to success, the ability to think strategically. Your demonstrated ability to understand the mechanisms of threat intelligence and map them to strategic and core revenues that drive the business forward will be a huge step for you being viewed as a business partner rather than a “corporate techno-phobe”.

Item 8. Financial Statements and Supplementary Data –(Strong area of focus to map Business Processes that support the company to Cybersecurity Risks and Data Driven Cyber Threats and Vulnerabilities) check here to see information about the company’s income statement (which is sometimes called the statement of earnings or the statement of operations), balance sheets, statement of cash flows and statement of stockholders’ equity. In addition, this section includes supplementary information about all business processes that support the company. The following table summarizes examples of most business processes listed in Form 10-Ks.

As identified above, focus on Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations and Item 8. Financial Statements and Supplementary Data analysis to communicate to the board strong cybersecurityrisk models and defense initiatives that stabilize critical revenue streams with low or zero revenue loss, and anavailable technology infrastructure that reduces risk and prevents data breaches. It is not necessary to focus the board on how many technical features the security team is architecting. Executive management will feel more comfortable when your team defines good cybersecurity health checks and defense metrics that can be executed with a strong effort. The Board will not feel comfortable when your team defines security health checks and metrics that are not aligned with strategic initiatives and can’t be executed in real time.

Utilize these two sections to decompose security problems without combining all problems into one. Keep it simple and clear and relate individual cyber issues and threats to the three statements the board knows best, the Balance Sheet, Income and Cash Flow Statements. The Board thinks in terms of delivering superior value to the marketplace and has a fiduciary responsibility to represent shareholders. You have a chance to really stretch your thinking and help improve the business. You build relationships with the board and executive management business leaders. You can move Information Technology and Risk to more value-added processes. And it builds your ability to influence people and work with cross-functional teams.

How can you be so sure that examining and leveraging this important financial tool will help you establish better cybersecurity communication and dialogue with the board and executive management? And how can you know that, over time, it will be easier to figure out which threatened revenue streams, business processes and core strategies to immediately focus on to capture their attention? When executive management acknowledges that you demonstrated a solid understanding of the company's business, core strategies, cyber risk appetite and risk tolerance. Then the board will have no choice but to partner with you to help them fulfill their broad responsibilities for effective Information Technology Risk governance.

This article is one of 10 series articles discussing how CIOs can strategically collaborate better with Executive Management and Boards.

See Also : TOP ENTERPRISE RISK MANAGEMENT SERVICE COMPANIES

Read Also

How to Build a Techforce

How to Build a Techforce

Christian N. Schmid (Managing Director and Partner), Raffael Kazda (Associate Director), Daniel Wagner (Manager) and Annika Melchert (Senior IT Architect), all core members of the Banking Practice Area of BCG and BCG Platinion
Data Archival - Rest in peace

Data Archival - Rest in peace

Himali Kumar, Director Data Management, AutoZone
What Does RBG's Death Mean for the Investing World?

What Does RBG's Death Mean for the Investing World?

Jenny Abramson, Founder & Managing Partner, Rethink Impact
The New Bridges and Barriers to an Integrated World view

The New Bridges and Barriers to an Integrated World view

Brandon Beals, Director of Data & Analytics, Dot Foods
Data Literacy –What is it and Why Should Your Company Care?

Data Literacy –What is it and Why Should Your Company Care?

Lisa M. Mayo, Director of Data Management, Ballard Spahr LLP