Common sense talk about risk heat maps and more

My congratulations go to James Lam, a long-time risk practitioner at E*Trade, and Chris Inglis, board member at FedEx, for their comments in a recent article. The piece says:

• The current iteration of risk evaluation heat maps are akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.
• “I’ve seen heat maps since the ’90s … and I still don’t know what to make of them. Looking at a heat map, the board is left to question the placement of risk. “Heat maps are one of the worst things that happened to risk assessment,” said Lam. “If I look at something in yellow, should I want it in the green? … or do I want to get closer to orange or red if I can get a return on the risk?”
• Traditional color-coded risk assessments fail to quantify risk in a manner boards are prepared to understand.
• If someone asks for $5 million for multifactor authentication, the board won’t know how to respond.
• It’s a “breath-taking moment” when someone from IT can say they read the business plan during a board pitch.

Inglis says he wants his risk assessment team and cyber defense to be…