Dashboards Don’t Manage Risk – Difficult, Data-Driven Conversations Do
Let’s get this out of the way up front: I don’t hate dashboards. I understand that practitioners need some sort of asset to help us translate what we’re seeing on the ground to something that can be consumed by the board or the C-suite.
I also greatly appreciate the power of data visualization – there may not be a better way to help discover additional insights and track progress, but progress doesn’t happen through, or even because of, the dashboard. Indeed, dashboards only reflect progress earned through hard work and difficult conversations.
It’s time we recognize and acknowledge where the hard work of cyber risk management really takes place: in the grey areas, in challenging conversations and in those times when assumptions differ from reality.
A common narrative which echoes throughout the halls of conferences or on webinars goes something like this: “We just need additional visibility!” or “If only we had a single pane of glass…” or “All of our data is so siloed, we just need to get it all in one place.”
While these may all be worthy goals and necessary parts of the risk management lifecycle, achieving these things alone will not improve your risk posture. They can also end up being very distracting – making your team feel like they’re working towards something, when really these projects end up more effectively making you look busy without moving the needle on managing any risks.