Insights blog.

One of the more challenging aspects of third party risk management is effectively communicating risk. Often the risks posed by vendors are highly technical, and it can be tempting to simply put together a slide or list to review with business owners, executives or board members. But this can often create an obstacle to buy in, as few people have the expertise to understand what these risks mean. 

Presenting results is the key to showing the value of your vendor risk management efforts. These 7 reports will effectively communicate your wins.

Learn what three key metrics can help you create a cybersecurity board report that tells a good story and resonates with your board.

What is a board cybersecurity committee? Learn why it’s more critical than ever and how your organization can establish one.

Investors are worried about cybersecurity—and for good reason. Yet despite growing concerns and the criticality of the issue, the dialogue between companies and investors need significant improvement. Here's why.

Over 70% of executives are bullish about their organization’s ransomware resilience. Here’s how security leaders can temper that overconfidence.

Cybersecurity incidents are on the rise, and the monetary setbacks for victims are considerable. The average cost of a data breach in the U.S. has soared to nearly $8.6 million, and these costs are expected to grow by 15% over the next five years.

Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their C-suites. 

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change.

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition. These incidents — and countless others — raise critical questions.  How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Officer, Chief Information Security Officers, Chief Risk Officers, and other executives.

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Security Officers, Chief Information Officers, Chief Risk Officers, and other executives. I recently sat down with James Lam, director at RiskLens and E*TRADE Financial Corp., to discuss Board members’ responsibility when it comes to information security and cyber risk.

Cybersecurity is a growing topic of discussion in Board meetings everywhere — given this fact, Board members need to be prepared to speak knowledgeably about their organization’s cybersecurity posture and programs. As businesses near the last quarter of the year and begin their planning processes, Boards must also be thinking about how to best prepare for 2019.  Here are some factors that Boards must take into consideration:

In today’s landscape, managing your internal security processes as well as creating a third-party vendor risk management program should be top of mind, but prioritizing a solid understanding of the metrics surrounding your cybersecurity programs almost just as important. These metrics should dive deeper than “yes” or “no” questionnaire answers, but should help you gain a more comprehensive understanding of where you and your third parties fall when it comes to proactively mitigating cyber risk.