I encourage you to subscribe (free) to McKinsey’s frequent reports. Their latest, Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity has some good observations. Unfortunately, their ideas for addressing the problem don’t work for me.
Here are some excerpts I like:
- …cyberrisk reporting at many companies is inadequate, failing to provide executives with the facts they need to make informed decisions about countermeasures.
- Because of the information gaps, managers often apply a standard set of controls to all company assets. As a result, low-priority assets can be overprotected, while critical assets remain dangerously exposed.
- In one survey, more than half of executive respondents said cybersecurity reporting was too technical for their purposes.
- Cyberrisk reports were compiled by IT specialists for other IT specialists. As a result, the reports were very technical in nature and provided little to no guidance for executive decision making. Executives found that the reports did not help them interpret how cyberrisk is related to other risks the institution faces, such as legal or financial risks.
- The reporting was structured by systems, servers, and applications rather than by business units, business processes, functions, countries, or legal entities.
- The executives had no clear sense of the overall magnitude of the risk from cyberattacks, malware, and data leaks.
- Cyberrisk managers found it difficult to decide on the areas of focus for cybersecurity investments or to justify their ultimate decisions to the board.
This is why I wrote Making Business Sense of Technology Risk.
The people running the business need to know how technology-related risk, especially (but not limited to cyber-related risk) might affect the achievement of their objectives. They need to know how to include it with other sources of risk and know where to spend scarce resources.
For example, should they budget an additional $1,000,000 to address what the CISO says are high risks, or should they spend that money to address trade compliance risk (which could result in their being shut down in an important region) or on a marketing campaign to drive revenue?
What if the cyber-related risk created by a new office appears to be acceptable, but when you realize that there are multiple new (non-cyber) risks that should also be considered, the right decision is to delay opening the office?
By the way, this last point illustrates one of the problems with the concept of risk appetite as promoted by COSO and others. In the last example, cyber-related risk is deemed to be acceptable. Let’s say there are potential customer relationship, compliance, and financial reporting issues as well. Each individually may be acceptable, but when management looks at the big picture (which requires that the information on each is not only comparable but can be aggregated in some way – I prefer based on their individual and cumulative effect on specific objectives), they decide the total potential downside is not justified by the potential upside.
My point is that all assessments of what might happen (aka risk) should be made based on how the achievement of business objectives might be affected. (This is discussed in detail in the book, far more than I can put in a blog post.)
But McKinsey falls into the same trap as some of the standards written by techies for techies (in other words, not written for leaders of the organization; not written to provide decision-makers with the information they need to make informed and intelligent business decisions. In fact, I have yet to see a standard or other guidance that tells you to ask them what they need).
Here are some excerpts (my highlights), where they go astray:
- Make the cyberrisk status of the institution’s most valuable assets fully transparent, with data on the most dangerous threats and most important defenses assembled in a way that’s accessible and comprehensible for nonspecialists. [ndm: the last point is good, but the focus is on information assets instead of on enterprise objectives.]
- Provide decision makers with a risk-based overview of the institution so they can focus their cybersecurity investments on protecting the most valuable assets from the most dangerous threats. [ndm: protect the business and its objectives, not just information assets.]
- The company subjected only its most critical, most vulnerable assets (class one) to the full arsenal of controls—from multifactor user authentication to deleting, after 24 hours, the accounts of anyone who left the company. By contrast, it applied only basic controls to the least critical assets.
McKinsey follows this up with a heat map! Of course, it is going to be interesting information for techies, but fails to relate how any incident (or series of incidents) might affect the business and its objectives. There’s no way this information can be added to other sources of risk to help leaders make sound business decisions.
McKinsey rails about techies developing reports for techies and then does the same thing.
Instead, figure out what leaders need to know about cyber-related risk if they are to make informed and intelligent decisions?
- Should they invest in cyber vs marketing?
- Should they proceed with opening that new office?
- How likely is it that a breach would seriously impair the achievement of enterprise objectives – including how it would affect the metrics on which the analysts rate the company and the board determines their bonuses?
I welcome your thoughts.
 I hate to use the 4-letter ‘r’ word, but am doing so to help people understand this particular issue.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023