[BreachExchange] Does Your Board Really Understand Your Cyber Risks?

[Destry Winant]

https://hbr.org/2020/09/does-your-board-really-understand-your-cyber-risks

Over the past decade, business leaders have had to face an
uncomfortable truth: It’s become impossible to sit at the head of a
company and not address the threat of cyber risk. Cyber attacks are
increasingly pervasive and can present near existential threats to
companies, and boards of directors and CEOs need ways to evaluate
them, even if they can’t grasp the technical details. This has led to
an explosion in the demand for cyber-risk measurements, both inside
companies and among external stakeholders.

While the methods for measuring cyber risk have evolved in recent
years, thanks in part to the efforts of credit-rating agencies,
investors, and insurance companies, nothing can replace informed
decision-making at the executive level. As cybersecurity experts, we
believe that the time has come to not just to develop scores based on
third-party evaluations but holistic assessments that consider
technical analysis, governance, culture, and the financial impact of
adverse cyber events. Such assessments should become a necessary and
powerful tool for corporate directors who — if properly trained in
interpreting them — could use them to understand their organization’s
exposure to technological vulnerabilities.

Becoming literate in cyber risk doesn’t mean that all executives need
to become technical experts. What it does mean is that they need to be
able to establish their company’s tolerance for cyber risk, define the
outcomes that are most important in guiding cybersecurity investment,
and be able to foster a culture of cybersecurity and resilience.

What cyber risk assessments do (and don’t) tell you

At its most basic level, a third-party cyber risk assessment shows how
well a company has implemented defenses designed to protect it from a
cyber attack, whether it is a disruption of its products and services,
a breach of its confidential data, or fraud driven by a cyberattack.
These assessments also measure how well a company has prepared itself
to defend against and recover from such attacks — its cyber
resilience. This is a critical component of its broader enterprise
risk-management strategy. The risks of weak cyber resilience are
abundantly clear: Directors see a near-constant stream of news of
network access for sale, factory production being disrupted with a
resulting in loss of revenue, fraudulent bank wires, and breaches of
customer privacy, all of which create lasting reputational damage for
the victim company.

During the past decade, the job of understanding and quantifying cyber
risk has mainly fallen to Chief Information Security Officers (CISOs)
and their teams, who primarily addressed the technical side of the
problem. In making their assessments, they have tended to focus on the
number of previous attacks, their impact, and how quickly they were
addressed. Their goal, in short, has been to take stock of established
defenses. The problem with this approach is that it’s largely
backward-looking. Assessments sometimes involve looking at
Internet-exposed company systems as an attacker might, and trying to
determine how vulnerable those systems are to attack. The problem with
this approach is that it often doesn’t consider the layered defenses
that organizations might have in place, including the efforts to
intentionally deceive hackers attempting to study the organization’s
weaknesses, and so may reflect a narrower view of risk.

The most significant limitation of both of these approaches, however,
is that they isolate cybersecurity decisions from the business they
are meant to serve. While technical assessments may be sufficient for
a CISO’s needs, they do not offer what the board really needs: a
risk-oriented, holistic, and validated view of the company that
considers the financial and business impacts of cybersecurity (or
cyber insecurity) in a given company. Moreover, technical reports
don’t adequately capture attributes such as governance, culture,
decision-making practices, or wider treatment of a company’s cyber
risk profile and appetite, all of which board directors and business
executives need to understand if they expect to make informed
decisions about whether to allocate capital to improve cyber defenses
instead of investing in other areas of the business.

How to get the audit you need

For an assessment to be useful to directors in a strategic capacity,
the board needs to be clear about its requirements — which means it
needs to know what to ask for. Rather than accepting a score at face
value, or even a qualitative assessment from the company’s technical
managers or auditors, directors should ask for a comprehensive
assessment: one that moves beyond the technical details and that
includes both an outside and inside perspective. At the same time,
cybersecurity managers should work with their senior leadership and
boards to provide context and use an assessment as a tool for sharing
the knowledge the board needs to provide effective oversight. When
presented in this way – assembled and shared by a trusted advisor –
cyber risk information can be held up against other business risks and
similarly weighed against particular strategic opportunities. This
won’t create perfect outcomes, but it will vastly improve companies’
understanding of their cyber risk and provide a clear path for
evolving oversight as the approaches develop.

What does this look like in practice? In order to make appropriate
decisions, directors need to understand what “good” means for their
overall cyber risk profile, and what a holistic assessment really
entails (inside, outside, benchmarked, loss analysis). Additionally,
they need to set expectations for an outcome that is commensurate with
the company’s goals. Determining what “good” means will vary from
company to company. Happily, this means that there’s quite a bit that
directors can do in order to ensure that the building blocks are in
place so their company can achieve the right outcomes when cyber
rating and assessment methodologies mature.

Define your risk appetite: The first thing directors should recognize
is that the board must determine the company’s risk appetite with
regard to cyber-loss events just as it does with any other risk. After
developing an understanding of the subject and of what types of risks
its company faces, the board will recognize that “perfect”
cybersecurity is not attainable. Rather, it will come to appreciate
that evaluating cyber risk — and reflecting on any cyber assessment —
requires the careful consideration of at least these two main
questions: 1) What do our customers expect of us? and 2) How do peer
companies approach these risks?

Focus on outcomes: Rather than jumping right to a ratings comparison,
leaders need to focus on the outcomes they’re trying to achieve. The
right outcome is a combination of an organization’s risk appetite,
prior and future investment in cybersecurity, and expectation of its
customers, shareholders, and even regulators. No one would expect that
a brick-and-mortar retailer to have the same cybersecurity program and
defenses as a top bank or manufacturer of military equipment.
(Consider the situation of a law firm, which needs to worry a lot
about a breach of private client data, compared with that of an
electric utility, which needs to worry a lot about an interruption in
services.) Likewise, boards and business leaders need to calibrate
their expectations by determining their appetite for risk and making
investments in cybersecurity that are commensurate with their industry
profiles. Once this is decided, the board should set internal
standards and targets and hold management accountable for meeting
them.

Establish a culture of cybersecurity and resilience: Governance and
culture have a critical part to play in any evaluation of cyber risk.
Boards should assert their role in ensuring that these aspects of the
company’s cybersecurity program are paramount. While there are
currently varying approaches to measuring cyber risk, the right
outcome always starts with the right culture. Even as the measurements
shift, culture is a driver of all aspects of cyber resilience that can
be measured — improvement in technical processes that drive
improvement in outside scores, management engagement in cyber relative
to business initiatives, engagement of the board in ensuring
accountability in objectives. Culture is also important because its
indicators fluctuate less over time than technology measures, which
tend to shift as trends in computing change. For example, measuring
cybersecurity in a data center is dramatically different from
measuring cybersecurity in the cloud, but the cultural aspects of
whether these environments are effectively managed are similar.

As the market for cybersecurity assessments further evolves into
holistic cyber-security ratings, directors and business leaders need
to pay careful attention to ensuring that underlying measurements
provide a true comparative benchmark, adequately consider a balance
between inside and outside measures, and fully examine the technical,
governance, and cultural aspects of an organization. In order to
achieve this, transparency in the methodologies used for assessing the
risk is vital. But it is also crucial that organizations properly set
and manage a cyber-risk appetite, understand the range of financial
impacts that applicable cyber events may have on a company, and the
role that good, well-informed governance plays in mitigating them.