If you look at any survey of the top risks facing organizations, you will find technology-related risks (such as cyber and disruptive technologies) among those cited as being of greatest concern.
But executives and board members say they are not getting the information they need to understand how to address those risks. They don't know how much to invest in cyber, for example, when funds are scarce.
Is the cyber risk so great that they should divert funds from acquisitions or product development? Even chief information security officers are reporting a disconnect with the leaders of the organization. Apparently they know that the board and top management don't understand what is being reported, and they are not satisfied they are getting the support they need.
But if the board and top management don't understand how and why technology risk might affect the achievement of their goals as leaders of the organization, it's not surprising they are not providing the funds the technical staff says they need. At the same time, do the technical teams understand how the risks they see might actually affect the organization and its success? Are they looking at the risks with a business or a technician's eye?
In his latest book, Norman Marks builds on the concepts in his earlier World-Class Risk Management and suggests an approach that moves the discussion of technology-related risk into the language of the business. He analyzes the primary sources of guidance (from NIST and ISO) and points out the limitations: they may be good for technicians, but do they help us understand the risk to enterprise objectives that may arise from failures related to technology?
Norman discusses ways to consider how the possibility of technology failures (and opportunities) should affect decision-making, both strategic and tactical.
In the process, he tackles topics such as:
Risk is not a point, but a rangeHow to aggregate multiple risksIntegrating risk and performance reportingWhat is acceptable when it comes to technology-related riskHow to enable leaders of the organization to make intelligent and informed decisions that consider technology-related risksand more