I want to tell you about a new industry group called the Alliance for Cyber Risk Governance that was formed recently by TechDemocracy and several other cyber security companies. The group's purpose is to help standardize cyber risk measurement, reporting, and governance, as well as to promote better communication with boards and senior executives. I believe this is a wonderful goal, and I'd like to outline what the group is about, and why you might like to join.
First, you will agree that CISOs do have a problem in this area - and it stems from deficiencies on both ends of the communication channel. Certainly, on the receiving end, board members could do a much better job self-educating on cyber security and risk. This could include more diligent acceptance of their responsibility to maintain an understanding of technology, not unlike the situation with finance, human resources, marketing, operations, and the like.
You will also agree, however, that CISOs must expertly communicate with executives and boards in a way that doesn't insult their intelligence, but that ensures clear coverage of the cyber risk-related information needed for proper governance. This task is easier said than done, because most enterprise security teams have barely solved this problem for themselves, much less for executives and directors with little exposure to cyber-related issues.
Ken Pfeil, chief architect at TechDemocracy, and one of the founders of the alliance, is passionate about helping members work together to promote better communication on cyber issues: "The Alliance for Cyber Risk Governance is designed to address deficiencies in the sharing of cyber risk-related information with senior executives," he said. "Managers of information security programs struggle describing relevant cyber risk issues to boards."
The approach being championed by the Alliance involves establishment of a standardized framework for measuring and reporting risk in a manner that can be understood by both working-level risk managers and senior-level governance officials. The resulting framework targets four specific cyber objectives: Information sharing, security protection, organizational governance, and infrastructure resilience. Methodologies are included for each objective.
"By focusing on these four key areas of organizational risk management and reporting," Pfeil explains, "we in the Alliance can serve all aspects of cyber risk relevant to an organization." This objective is being accomplished with membership from a large group of successful companies including BeyondTrust, Fidelis Cybersecurity, LogRhythm, Rackspace, Rapid7, RiskIQ, SAFE-BioPharma, and TechDemocracy."
Gautam Dev, global managing principal of Tech Democracy points out the synergy between the Alliance and commercial offerings from all its members. "As with all companies in the Alliance, TechDemocracy is committed to the mission of improved communication, and we've worked hard to tackle these standardization challenges head-on as a business. In fact, the framework proposed in the Alliance has had a direct impact on our Intellicta platform."
To join the Alliance for Cyber Risk Governance, just visit their website at https://acrg.info/. On the site, you can download the group's charter, and click on the link to join. Presently, the Alliance is commencing its second phase, setting up four working groups tasked with drafting recommendations for the framework. I hope you decide to join - and to improve the interaction between your cyber risk team and your executive governance community.