Does Your Board Really Understand Your Cyber Risks?
Over the past decade, it has become impossible to run a company and not address the threat of cyber risk. Cyberattacks are increasingly pervasive and can present near existential threats to companies, and boards of directors and CEOs need ways to evaluate them, even if they can’t grasp the technical details. This has led to an explosion in the demand for cyber-risk measurements, both inside companies and among external stakeholders.
While the methods for measuring cyber risk have evolved, thanks in part to the efforts of credit-rating agencies, investors and insurance companies, nothing can replace informed decision-making at the executive level. As cybersecurity experts, we believe the time has come to develop not just scores based on third-party evaluations but holistic assessments that consider technical analysis, governance, culture and the financial impact of adverse cyber events. Such assessments should become a necessary and powerful tool for corporate directors who — if properly trained in interpreting them — could use them to understand their organization’s vulnerabilities.
A third-party cyber risk assessment shows how well a company has implemented defenses to protect it from a cyberattack. An assessment also measures how well a company has prepared itself to recover from such attacks — its cyber resilience. The risks of weak cyber resilience are clear: consistent news of network access for sale, factory production being disrupted, fraudulent bank wires and breaches of customer privacy, all of which create lasting reputational damage for the victim company.
During the past decade, the job of understanding and quantifying cyber risk has mainly fallen to chief information security officers, or CISOs, and their teams, who primarily addressed the technical side of the problem. They have tended to focus on the number of previous attacks, their impact and how quickly they were addressed. Their goal, in short, has been to take stock of established defenses.
The problem with this approach is that it’s largely backward-looking. Assessments sometimes involve looking at internet-exposed company systems as an attacker might, and trying to determine their vulnerability. But this approach often doesn’t consider the layered defenses that organizations might have in place, including efforts to intentionally deceive hackers attempting to study the organization’s weaknesses.
The most significant limitation of both of these approaches is that they isolate cybersecurity decisions from the business they are meant to serve. While technical assessments may be sufficient for a CISO’s needs, they don’t offer what the board really needs: a risk-oriented, holistic and validated view that considers the financial and business effects of cybersecurity (or cyber insecurity) in the company. Moreover, technical reports don’t adequately capture attributes such as governance, culture, decision-making practices or wider treatment of a company’s cyber risk profile and appetite.
For an assessment to be useful to directors in a strategic capacity, the board needs to be clear about its requirements — which means it needs to know what to ask for. Rather than accepting a score at face value, or even a qualitative assessment from the company’s technical managers or auditors, directors should ask for a comprehensive assessment: one that moves beyond the technical details and that includes both an outside and inside perspective. At the same time, cybersecurity managers should work with their senior leadership and boards to provide context and use an assessment as a tool for sharing the knowledge the board needs to provide effective oversight. When presented in this way — assembled and shared by a trusted adviser — cyber risk information can be held up against other business risks and similarly weighed against particular strategic opportunities. This will vastly improve companies’ understanding of their cyber risk and provide a clear path for evolving oversight as the approaches develop.
What does this look like in practice? To make appropriate decisions, directors need to understand what “good” means for their overall cyber risk profile, and what a holistic assessment really entails: inside, outside, benchmarked, loss analysis. Additionally, they need to set expectations for an outcome that’s commensurate with the company’s goals. Determining what “good” means will vary from company to company. This means there’s quite a bit directors can do to achieve the right outcomes when rating and assessment methodologies mature:
— DEFINE YOUR RISK APPETITE: The board must determine the company’s risk appetite with regard to cyber-loss events just as it does with any other risk. After developing an understanding of the types of risks its company faces, the board will recognize that “perfect” cybersecurity is not attainable. Rather, it will come to appreciate that evaluating cyber risk — and reflecting on any cyber assessment — requires the careful consideration of at least two questions: What do our customers expect of us? And how do peer companies approach these risks?
— FOCUS ON OUTCOMES: Rather than jumping to a ratings comparison, leaders need to focus on the outcomes they’re trying to achieve. The right outcome is a combination of an organization’s risk appetite, prior and future investment in cybersecurity, and expectation of its customers, shareholders and even regulators. No one would expect that a brick-and-mortar retailer have the same cybersecurity program and defenses as a top bank or manufacturer of military equipment. Likewise, boards and business leaders need to calibrate their expectations by determining their appetite for risk and making investments in cybersecurity that are commensurate with their industry profiles. Once this is decided, the board should set internal standards and targets and hold management accountable for meeting them.
— ESTABLISH A CULTURE OF CYBERSECURITY AND RESILIENCE: Governance and culture play a critical part in any evaluation of cyber risk. Boards should assert their role in ensuring that these aspects of the company’s cybersecurity program are paramount. The right outcome starts with the right culture. Even as the measurements shift, culture is a driver of all aspects of cyber resilience that can be measured — improvement in technical processes that drive improvement in outside scores, management engagement in cyber relative to business initiatives, engagement of the board in ensuring accountability in objectives. Culture’s indicators also fluctuate less over time than technology measures, which tend to shift as trends in computing change.
As the market for cybersecurity assessments further evolves into holistic cybersecurity ratings, directors and business leaders need to ensure that underlying measurements provide a true comparative benchmark; adequately consider a balance between inside and outside measures; and fully examine the organization’s technical, governance and cultural aspects. To achieve this, transparency in risk-assessment methodologies is vital. But it’s also crucial that organizations properly set and manage a cyber-risk appetite and understand both the range of cyber events’ financial effects and the role that good, well-informed governance plays in mitigating them.
Daniel Dobrygowski is the head of governance and policy for the World Economic Forum Centre for Cybersecurity. Derek Vadala is the CEO of Cyber Assessments.