Today, I am going to share an excerpt from a draft of my upcoming book, Making Business Sense of Technology Risk.
I welcome your comments and feedback.
Is the level of concern about cyber merited? Should organizations and individuals be as worried about the possibility and consequences of a breach as they are advised by the consultants, information security pundits, and in news reports?
The answer is “it depends”.
The potential for harm is not the same for every organization, in every nation, and in every industry sector.
For example, when I was with Tosco Corporation as head of internal audit, I was worried about the possibility that a hacker might breach our cyber walls and get to the control system in one or more of our refineries’ process units. Whether by accident or on purpose, they could change pressure or temperature settings and cause a fire or explosion that would likely kill or severely injure a number of employees.
But gaining access to our corporate systems was much less of a concern. They might disrupt our business for a while, but any consequences of the breach would not be of a magnitude that would cause the organization to fail.
After Tosco, I joined Solectron Corporation. This was a contract manufacturer of electronic equipment such as phones, servers, laptops, telecommunications equipment and so on. While a breach would be annoying and disruptive, I cannot think of a scenario where it would cause the company to fail.
From Solectron, I went to Maxtor Corp. (the leading manufacturer of hard drives) and Business Objects (the leader in business analytics software). Both had intellectual property such as product design that gave them a technological lead in their markets. The theft of that intellectual property would be serious and could erode their advantageous market position and, eventually, market share and profits. Such consequences were of serious concern.
My advice is to focus less on how a breach might happen (after all, there are usually a number of vulnerabilities) and more on the potential consequences. In other words, don’t worry (yet) about which vulnerabilities might exist and be exploited. The effect may be the same whichever vulnerability the hackers exploited.
There will be a range of possible consequences, each with a different likelihood.
The next step is to work with business management to assess the effect on the business and the achievement of objectives. That is, in my opinion, the best way to determine the potential severity of a breach.
It is now possible to develop a chart that shows the range of potential breach consequences (the effect of a breach on the business) and the likelihoods of each level of consequence.
Management should consider whether there is an unacceptable likelihood that a breach could cause severe harm, to the point where the organization would fail to achieve its objectives.
There is always a theoretical possibility of a dire consequence. The question is whether the likelihood is so great that immediate action is required – and resources diverted from other business investments.
At the lower end of the range of consequences lie effects that would not cripple the business. But management should still consider whether there is too high a possibility of what some would call ‘death by a thousand cuts,’ where disruptions are so frequent that the likelihood of achieving objectives is severely affected.
But that is not enough.
Business objectives may be subject to multiple technology-related sources of risk and other business risks as well.
In order for executives and business leaders to make intelligent and informed decisions, they need to understand all the sources of risk.
Those responsible for assessing and communicating cyber risk need to work collaboratively with those handling other sources of risk to ensure decision-makers are provided the actionable information they need.
When looking at the big picture, is the likelihood of achieving enterprise objectives at an acceptable level? Is there an unacceptable likelihood of severe harm?
If so, drill down to the sources of risk that underlie the assessment. Analysis should be performed to determine where changes should be made (which may or may not relate to cyber). It all depends on the degree that the level of risk can be changed, the certainty of that result, and the related cost.
If the decision is made that the level of cyber risk needs to be changed, this is where I would consider all the vulnerabilities and the options for improving defense, detection, and response.
I would not pour resources into cyber simply on principle (somebody assesses the risk as high) where it is not justified on business grounds.
It is important to understand what leaders need if you are to provide them with the information necessary for quality decisions. My advice is to give them both the big picture and the detail, and then they can work with the practitioner to refine reporting and communications.