Managing Cyber Risk: It Takes A Village.
If cyber impacts all these risk categories, why is it so often shoved off onto IT teams to deal with in a siloed fashion?
It boils down to a few key reasons that can manifest in several ways:
- The technical nature of cybersecurity needs is daunting to non-technical executives, who feel unqualified to weigh in on or contest proposed measures to address cyber.
- The lack of success criteria and KPIs – particularly expressed in financial terms, or some other common business vernacular – makes it challenging to facilitate a productive discussion around the effectiveness of current cyber measures and the predicted efficacy of future measures.
- There has been a widespread disproportionate focus on detection, containment, and resolution of cyber-attacks, rather than considering what the organization can do as a whole to deter and prevent cyber incidents.
For many executive teams, cyber sounds like a nebulous technical problem that requires purely technical solutions. Yet they understand that cyber can profoundly impact the entire livelihood and financial welfare of the company. They yearn to better comprehend the threats and better understand their options to minimize the financial and career consequences that may befall them if a cyber-attack were to occur.
In fact, the CFO may find herself in a uniquely precarious position. She cuts the checks for cybersecurity tools and technologies, while she also stands to bear the brunt of the blame (a generous portion also falling to the CISO) if the company, following a cyber-attack, is accused of not having done enough diligence in safeguarding their assets.
We could elucidate the doom and gloom matters for the C-Suite, but by now these are well understood. The more pressing matter is, what can organizations do to protect their assets from cyber criminals?
Form a united front.
Cyber risk management is an ongoing discipline that protects all of your organization’s assets, which are of strategic importance to every member of the leadership team. Since every executive has a stake in the cyber welfare of the organization, cyber risk management demands the cooperation of all stakeholders.
Reframing the discussion with respect to cyber risk management, rather than cybersecurity, is critical. (See our blog post on the distinction between cyber risk management and cybersecurity here.) Fruitful cyber risk management depends on finally attributing a KPI to your organization’s cyber risk posture. This metric must use a sound, holistic method of quantifying your organization’s cyber risk, applying thorough internal and external data collection and inputs into a robust algorithm. This score must translate into financial terms – estimated loss of a potential cyber event – such that management teams can meaningfully examine the cost-benefit of various cyber risk management decisions. (Learn more about Maxxsure’s M-Score and its translation into financial terms here.)
Once this metric has been generated, both technical and non-technical leadership have a shared understanding of cyber risk posture and can productively discuss cyber risks based upon their relative criticality.
With this shared understanding and capability of discussing the issues in a common language, management can reach agreement on which risks to remediate, accept, or transfer by purchasing cyber insurance.
Maintain the discipline of managing cyber risk.
This is not a one-and-done exercise, nor should it be an annual routine that aligns with checking boxes to comply with governance standards.
The cyber threat landscape is constantly evolving, and your organization must therefore continually adapt to changing conditions. A cyber risk metric like the M-Score can be monitored ongoingly so that leadership teams can reconvene and examine how their cyber risk posture has changed, not only in response to cybersecurity measures they’ve implemented since their last checkpoint, but to also see how the new threat landscape may have shifted their standing.
As new information becomes available, leaders should be bold making decisions to suit their circumstances, which may warrant introducing new cybersecurity measures, reprioritizing previously planned measures, or making new determinations about which risks to accept or transfer.
Of utmost importance is to sustain the practice of managing cyber risk, ensuring that the entire organization is engaged in the exercise and that no one falls into complacency when it comes to something so important.