Two recent pieces attempt to help with this question:
Reporting Business Risk to the Board of Directors is an interview with the former chair of RSA Security, Art Coviello, a recognized expert on cybersecurity who has served as an advisor to government agencies.
The other is Raising cyber risk to the enterprise level by Elizabeth Case, Managing Director of Marsh’s US Cyber Practice.
They both have some useful things to say, but I doubt they will help board members understand the level of risk and what they need to do about it. The latter is the big question.
Coviello tells us:
Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board. They can, but the burden, in large part, is going to be on them.
The answer, which Coviello attempts in vain to explain, is to discuss the risk in business terms. Yes, it is a business risk. But the way Coviello talks about it doesn’t work for me.
He asks:
What are the risks to your assets? What is the risk to your operations? What is the risk to your good name? What is the risk to your revenue attainment?
Sorry, but that’s not enough and his “best practices” don’t help.
Case sets the stage in similar fashion, saying:
Board members and C-suite executives, although not typically experts in technology, must take ownership of cyber risk, working in concert with critical organisational stakeholders, such as finance, legal, human resources, risk and information technology/security managers.
She also points out that according to a recent Marsh survey:
…only 19 per cent of corporate executives say they are highly confident in their company’s ability to prevent and respond successfully to a cyber event.
Case continues:
Another notable conclusion from the survey is that high quality information about how an organisation is assessing and managing its cyber risk, which is necessary for effective cyber risk management, is generally lacking at the executive level. That gap exists both in the flow of information – the volume and distribution of data to the board level – as well as in the form that information takes – the language used to express and measure cyber risk exposure. Too often, data about a firm’s cyber risk and mitigation efforts is communicated across the organisation in technical terminology that can be challenging for non-technical experts. Instead, cyber risk measurement should be framed in economic terms – the lingua franca of business.
…
Economic quantification enables cyber risk to be measured, expressed and understood in the common language of business and boardrooms. It shifts boardroom conversation of cyber risk from a technical discussion of threat vectors and system vulnerabilities to a data-driven analysis focussed on optimising a firm’s cyber capital allocation and reducing its total cost of risk. A quantified measurement of cyber risk also helps inform decision-making around cyber risk investments – technical mitigation and risk transfer – and allows for evaluation of the risk reduction return on investment. With hard numbers in hand, corporate leaders can consider how much to invest in cybersecurity, how much risk to transfer via insurance and how much risk the firm is willing to retain.
Many will agree with her that:
…cyber risk should be measured and expressed quantitatively to provide an objective assessment of the value at risk and allow for measurement of the return on the firm’s cyber investment – and for comprehension by key stakeholders.
This may work for some, but not for me. I like much simpler methods. How am I supposed to know that one number is OK and another is not? I want to understand the potential effect of a breach on my company’s success.
Finally, Case provides us with a list of questions for board members to ask of management. I think they are useful and recommend their consideration.
But as a board member I would want to know simple answers to some simple questions, such as:
How could a ransomware attack hurt us? What damage could be caused and for how long?
That would be followed by:
Is that the worst case?
How would it affect our earnings and other business objectives?
How likely is it?
Is that a risk we should take? If not, why not and can we do something about it that makes business sense – can we reduce the potential effect and/or duration at a reasonable cost?
Are there other possible levels of impact? Do we need to address them as well?
If we invest more to address this risk, what other investments are affected?
What happens if hackers find a new way to penetrate our systems?
I would ask similar questions about other effects on the business, such as:
What damage would be caused if a hacker stole our intellectual property?
How likely is that?
…and so on
Could a breach cause other damage to our business? If so, how severe could it and for how long?
How likely is that?
…etc.
My approach is to consider the potential effects on the business and its objectives, which should be expressed as a range of effects, then ask about the likelihood of those effects. I then ask whether that is acceptable or not, and why I am given that answer. After that, I want to know what we should be doing and whether any further investment in cyber would affect other projects and initiatives.
Frankly, I don’t understand “quantification” of risk. A number says nothing to me when I am trying to make informed and intelligent business decisions.
I want to know whether the current situation, and what might happen in the future, is acceptable or not, why – and what we should be doing about it.
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024