Over the past decade, business leaders have had to face an uncomfortable truth: It’s become impossible to sit at the head of a company and not address the threat of cyber risk. Cyber attacks are increasingly pervasive and can present near existential threats to companies, and boards of directors and CEOs need ways to evaluate them, even if they can’t grasp the technical details. This has led to an explosion in the demand for cyber-risk measurements, both inside companies and among external stakeholders.
While the methods for measuring cyber risk have evolved in recent years, thanks in part to the efforts of credit-rating agencies, investors, and insurance companies, nothing can replace informed decision-making at the executive level. As cybersecurity experts, we believe that the time has come to not just to develop scores based on third-party evaluations but holistic assessments that consider technical analysis, governance, culture, and the financial impact of adverse cyber events. Such assessments should become a necessary and powerful tool for corporate directors who — if properly trained in interpreting them — could use them to understand their organization’s exposure to technological vulnerabilities.
Becoming literate in cyber risk doesn’t mean that all executives need to become technical experts. What it does mean is that they need to be able to establish their company’s tolerance for cyber risk, define the outcomes that are most important in guiding cybersecurity investment, and be able to foster a culture of cybersecurity and resilience.
What cyber risk assessments do (and don’t) tell you
At its most basic level, a third-party cyber risk assessment shows how well a company has implemented defenses designed to protect it from a cyber attack, whether it is a disruption of its products and services, a breach of its confidential data, or fraud driven by a cyberattack. These assessments also measure how well a company has prepared itself to defend against and recover from such attacks — its cyber resilience. This is a critical component of its broader enterprise risk-management strategy. The risks of weak cyber resilience are abundantly clear: Directors see a near-constant stream of news of network access for sale, factory production being disrupted with a resulting in loss of revenue, fraudulent bank wires, and breaches of customer privacy, all of which create lasting reputational damage for the victim company.
During the past decade, the job of understanding and quantifying cyber risk has mainly fallen to Chief Information Security Officers (CISOs) and their teams, who primarily addressed the technical side of the problem. In making their assessments, they have tended to focus on the number of previous attacks, their impact, and how quickly they were addressed. Their goal, in short, has been to take stock of established defenses. The problem with this approach is that it’s largely backward-looking. Assessments sometimes involve looking at Internet-exposed company systems as an attacker might, and trying to determine how vulnerable those systems are to attack. The problem with this approach is that it often doesn’t consider the layered defenses that organizations might have in place, including the efforts to intentionally deceive hackers attempting to study the organization’s weaknesses, and so may reflect a narrower view of risk.
The most significant limitation of both of these approaches, however, is that they isolate cybersecurity decisions from the business they are meant to serve. While technical assessments may be sufficient for a CISO’s needs, they do not offer what the board really needs: a risk-oriented, holistic, and validated view of the company that considers the financial and business impacts of cybersecurity (or cyber insecurity) in a given company. Moreover, technical reports don’t adequately capture attributes such as governance, culture, decision-making practices, or wider treatment of a company’s cyber risk profile and appetite, all of which board directors and business executives need to understand if they expect to make informed decisions about whether to allocate capital to improve cyber defenses instead of investing in other areas of the business.
How to get the audit you need
For an assessment to be useful to directors in a strategic capacity, the board needs to be clear about its requirements — which means it needs to know what to ask for. Rather than accepting a score at face value, or even a qualitative assessment from the company’s technical managers or auditors, directors should ask for a comprehensive assessment: one that moves beyond the technical details and that includes both an outside and inside perspective. At the same time, cybersecurity managers should work with their senior leadership and boards to provide context and use an assessment as a tool for sharing the knowledge the board needs to provide effective oversight. When presented in this way – assembled and shared by a trusted advisor – cyber risk information can be held up against other business risks and similarly weighed against particular strategic opportunities. This won’t create perfect outcomes, but it will vastly improve companies’ understanding of their cyber risk and provide a clear path for evolving oversight as the approaches develop.
What does this look like in practice? In order to make appropriate decisions, directors need to understand what “good” means for their overall cyber risk profile, and what a holistic assessment really entails (inside, outside, benchmarked, loss analysis). Additionally, they need to set expectations for an outcome that is commensurate with the company’s goals. Determining what “good” means will vary from company to company. Happily, this means that there’s quite a bit that directors can do in order to ensure that the building blocks are in place so their company can achieve the right outcomes when cyber rating and assessment methodologies mature.
Define your risk appetite: The first thing directors should recognize is that the board must determine the company’s risk appetite with regard to cyber-loss events just as it does with any other risk. After developing an understanding of the subject and of what types of risks its company faces, the board will recognize that “perfect” cybersecurity is not attainable. Rather, it will come to appreciate that evaluating cyber risk — and reflecting on any cyber assessment — requires the careful consideration of at least these two main questions: 1) What do our customers expect of us? and 2) How do peer companies approach these risks?
Focus on outcomes: Rather than jumping right to a ratings comparison, leaders need to focus on the outcomes they’re trying to achieve. The right outcome is a combination of an organization’s risk appetite, prior and future investment in cybersecurity, and expectation of its customers, shareholders, and even regulators. No one would expect that a brick-and-mortar retailer to have the same cybersecurity program and defenses as a top bank or manufacturer of military equipment. (Consider the situation of a law firm, which needs to worry a lot about a breach of private client data, compared with that of an electric utility, which needs to worry a lot about an interruption in services.) Likewise, boards and business leaders need to calibrate their expectations by determining their appetite for risk and making investments in cybersecurity that are commensurate with their industry profiles. Once this is decided, the board should set internal standards and targets and hold management accountable for meeting them.
Establish a culture of cybersecurity and resilience: Governance and culture have a critical part to play in any evaluation of cyber risk. Boards should assert their role in ensuring that these aspects of the company’s cybersecurity program are paramount. While there are currently varying approaches to measuring cyber risk, the right outcome always starts with the right culture. Even as the measurements shift, culture is a driver of all aspects of cyber resilience that can be measured — improvement in technical processes that drive improvement in outside scores, management engagement in cyber relative to business initiatives, engagement of the board in ensuring accountability in objectives. Culture is also important because its indicators fluctuate less over time than technology measures, which tend to shift as trends in computing change. For example, measuring cybersecurity in a data center is dramatically different from measuring cybersecurity in the cloud, but the cultural aspects of whether these environments are effectively managed are similar.
***
As the market for cybersecurity assessments further evolves into holistic cyber-security ratings, directors and business leaders need to pay careful attention to ensuring that underlying measurements provide a true comparative benchmark, adequately consider a balance between inside and outside measures, and fully examine the technical, governance, and cultural aspects of an organization. In order to achieve this, transparency in the methodologies used for assessing the risk is vital. But it is also crucial that organizations properly set and manage a cyber-risk appetite, understand the range of financial impacts that applicable cyber events may have on a company, and the role that good, well-informed governance plays in mitigating them.