Cyber reporting travels further

Security and risk functions produce the picture of cyber risk that boards, auditors and regulators rely on, and that picture travels further than it used to. It feeds committee packs, resilience attestations and, increasingly, declarations made in the annual report delivered to shareholders.

The boards receiving it are under growing scrutiny, and it has turned personal. They now declare the effectiveness of their material controls in their own name, named senior managers are expected to evidence the reasonable steps they took, and boards themselves are more fluent in cyber and asking sharper questions. This pressure does not stay in the boardroom and inevitably arrives at the function that produced the report.

Most boards have never converted their cyber risk appetite into tolerances that reporting can be measured against. Without them, the cyber risk function is left to infer what the board needs to see, and a picture built on inference is hard to defend, however carefully it was made.

Built to be challenged

Ordonis works through the reporting you produce and the evidence that supports it to identify the places it would not survive a harder look, and helps you build it to a standard that withstands scrutiny before it enters the boardroom.

A defined standard protects the people who produce the reporting more than anyone. When the board has stated what it will accept and reporting is measured against it, an exception stops being a difficult conversation and becomes the system working as designed with the decision sitting where it belongs. An engagement leaves the function with a defined reporting standard and a tolerance architecture the board can own.

For any one firm, Ordonis acts for one constituency only, the board, the management that produces its reporting, or its assurance provider, and never more than one.

Ordonis is the advisory practice of Anthony Hines. If you produce the cyber picture your firm stands behind, start a conversation.