Why do the consultants keep advising management and the boards to consider cyber risk as if it is separate from all other business risks? Managing any single source of risk in a silo is almost certainly going to lead you to make incorrect, uninformed decisions.
Cyber is only one of many sources of risk that can affect the achievement of an enterprise objective initiative, program, or project.
As I keep saying, it is not about managing risk – it’s about managing the organization and its success.
McKinsey published an article in November, Cyber risk measurement and the holistic cybersecurity approach. It’s an interesting piece, reflecting responses by some board members to a recent piece by them. For example, they quote people as saying:
- “So far, we have not taken a big hit, but I can’t help feeling that we have been lucky. We really need to ramp up our defenses.”
- “Digital resilience is one of our top priorities. But we haven’t agreed on what to do to achieve it.”
They also say, correctly:
- Companies are rolling out a wide range of activities to counter cyber risk. They are investing in capability building, new roles, external advisers, and control systems. What they lack, however, is an effective, integrated approach to cyber risk management and reporting.
- Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
- Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.
I especially like this:
At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”
But then they go down the silo path.
- Working with top management and drawing on internal and external resources, the chief risk and information security officers create a list of critical assets, known risks, and potential new risks.
- The chief measure of cyber-resilience is the security of the organization’s most valuable assets.
I know that this approach is consistent with guidance from ISO 27005: 2018 and NIST. But it focuses attention on information assets and not the achievement of organizational objectives and success.
Why can’t they ask a simple question:
If we had a cyber incident, how could it affect the business?
There’s going to be a range of potential consequences, each with a different likelihood. They could identify the level of harm that would be unacceptable and its likelihood.
But cyber is just one source of business risk!
It needs to be measured and discussed in a way that enables it to be considered alongside other business risks, including such as legal, market, compliance, safety, culture, third party, and other sources of risk.
When management and the board are setting objectives and making strategic and tactical decisions, they need to see the big picture, all the things that might happen (risk). Looking at cyber and then looking separately at other sources of risk is simply wrong.
I fail to see why people think cyber is risk #1 when they are not assessing how it could affect the achievement of key business objectives. What is the likelihood that a cyber incident would cause the organization to fail to achieve its EPS, market share, and other targets?
A new piece from PwC is no better. How your board can better oversee cyber risk doesn’t have a single question about what would happen to the business if there were a breach! Instead, there is a focus on data and other information assets.
Until we consider cyber the same way we consider other sources of business risk, in terms of how an incident might affect enterprise performance, value creation, and the achievement of objectives, management and the board will continue to make uninformed decisions.
I welcome your comments.