Is Your Organisation Making False Assumptions About Crisis Decision-Making?In this interview, David Owen - Partner - Cyber Risk Advisory at Deloitte Australia, discusses how the CISO role needs to be able to communicate effectively and talk to both the legacy of a business and the aspiration or plan to do new things, typically in a digital space.
Many organisations have not planned how to make effective decisions in a crisis, and many of the assumptions made by executives are false.
For better strategy and execution, it is important to understand the risk profile of organisations. Data technology can be improved as a result.
Organisations need to simplify due to the complexity of technology systems, duplication of capability, and thousands of suppliers. In many organisations, these details illustrate a lack of decision-making. Either they accept the risk, or they allocate money to address it.
In this interview, David Owen – Partner – Cyber Risk Advisory at Deloitte Australia, discusses how the CISO role needs to be able to communicate effectively and talk to both the legacy of a business and the aspiration or plan to do new things, typically in a digital space.
Because the budget is fixed, the risk appetite is determined by available budget rather than by the risk appetite contained within the budget.
A CISO is responsible for helping executives navigate the risks they face in the digital space, while providing constructive advice on how minimise them.
Additionally, they should be advisors rather than simply providing facts and records and validate the effectiveness of cyber controls.
- It is very complicated and expensive to mediate risk within current organisational structures. To mitigate these risks, many organisations will need to simplify. It will become increasingly important to consider the diversity of organisations and the number of things that can be accomplished at one time.
- To assist others in understanding the risk and provide constructive advice on how to mitigate it, the CISO needs to be able to communicate effectively with the executive and the Board. The decision to tolerate risk ultimately rests with the executive.
- False assumptions are the biggest concern in cyber security. The control of an asset is assumed to be covered by a control or detection capability. We assume our disaster recovery or backup restoration will work effectively. Most incidents expose the uncomfortable truth about false assumptions.