I know a lot of persuasive folks in the cybersecurity community who can easily conjure up a dozen different cyberattack scenarios detailed enough to scare the socks off any board member. Many of us have been hearing about these hypothetical disasters for a decade or longer.
Senior leaders are nervous – and spending copiously. Yet, even as the defense of enterprise data has grown into a steadily expanding $93 billion a year global industry, cyberthreats, by and large, remain an abstract, catch-all notion in many board rooms.
Encouragingly, that’s beginning to change. A confluence of developments makes this so. Mainly, the disclosures of actual nightmare breaches, which climbed to new heights in 2016 and 2017, show no signs of slowing. This pattern has prompted newly minted state regulations in New York and Colorado, mandating improved data protection practices – a harbinger of more such regulations to come. Meanwhile in Europe, come May, the EU will implement its revised General Data Protection Regulation. GDPR carries stiffer data privacy rules that generally elevate consumers’ rights, and levies steep penalties against corporate violators.
The table is set for CSOs and CISOs to enter the board room and redirect the conversation about cyber risks away from the worst possible scenario, and toward the risks that are most likely to result in material impact to the business. For example, if a hacktivist somehow managed to deface an organization’s public-facing website, that would be embarrassing, but not material. But if hackers could steal product or growth plans, then use that information to build a competitive product or influence market decisions, that would harm the organization, that would be material. We do this kind of analysis to concentrate on the risks to the business that are most likely.
I’m privileged to be in the vanguard of security executives who have taken up this battle cry. Namely, to ask fundamental questions with respect to any specific cyberthreat: Is it material to the business? Because if it isn’t, why are we even talking about it? If it is material, then what are the odds that it will happen; and, more specifically, could it happen here in the next three years?
Material risk defined
In every organization I’ve ever been in, there has always been a risk-mitigation heatmap listing the 10 or 15 things senior executives worry about most. It might be the sudden resignation of the CEO or a force majeure, such as a major earthquake knocking out a pivotal data center. Amorphous “cyber” is usually listed near the end of that heatmap, seemingly too complex and abstract to call out a specific risk related to cyber but scary enough to not leave it off the list. To be clear, “cyber” is not a risk. It is a vector. Good things happen to an organization because of cyber, and bad things happen because of cyber. In order for it to be included on the heatmap, the risk should be very specific and presented in terms that the organization’s officials can understand. C-level executives and board members make decisions about risk all the time. Cyber is no different. Until now, the CISOs of the world just have not been that good at translating technical risk into business risk.
The good news is that this situation is starting to change. Both the rationale and the tools are starting to emerge for security executives to begin presenting cyber risks to board members with more precision. Instead of saying things like, “The chances of something bad happening because of ‘cyber’ are high,” we should be saying things like, “Given our security posture, we’re 90 percent certain that there is a 20 percent to 40 percent probability that the company could be materially impacted by the compromise of a customer database – in the next three years.” With that kind of ballpark, executives can now determine if that risk is acceptable to the business. If it is, then nothing needs to be done. If it isn’t, then the CISO can offer mitigating solutions that will lower the probability.
An approach like this compels security executives to put pencil to paper, and it gives senior leaders viable context from which to make informed risk-mitigation decisions.
As an additional benefit, a healthy consensus gets developed about risk tolerance, which invariably reflects a company’s vertical sector and corporate culture. One might imagine that cyber risk tolerance is much different for Walmart than it is for the Internal Revenue Service, for instance.
CISOs, the newer faces on executive row, have a big role to play in accelerating and teasing out this shift, which is just getting underway; they must continue to push it forward. In many organizations, the CISO post still doesn’t exist; or if it does, the role tends to be tech-focused, reporting to a CIO, who may still hold an abstract view of cyber risk.
Given the continued ferocity of attacks on business networks, it’s clear that CISOs are destined to continue rising in stature and influence, and I firmly believe those who embrace a material risk approach to addressing cyberthreats will command the attention of senior leaders and steadily drive material improvements, if you will, into their organization’s security posture.
We have just scratched the surface here. If you’re ready to learn more, I’d urge you to read How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen, and Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones. We’ve also created a hall of fame of sorts for cybersecurity books we like to call the Cybersecurity Canon.
This article is published as part of the IDG Contributor Network. Want to Join?