The executive guide to tackle your most challenging cybersecurity risks in 2022.
Author: Greg Tomchick, CEO, C|CISO
Cybersecurity risk has emerged as a top-three concern for leaders of medium and large organizations as cyber-attacks, online fraud and internal threats make a material impact on businesses across the world.
While boards and executives expect to be informed about cyber risk, very few of them seem to be getting the answers they want or need to make informed decisions.
All too often, cyber risk reporting is filled with technical jargon and colorful but hard to understand charts. Those responsible for cybersecurity—from the CEO on down—are urgently looking for better ways to measure risk and enable well-informed decision-making, regarding questions like:
- What are their organization’s top cyber risks and how much exposure do they represent?
- Which cyber risk management investments matter most?
- Are they investing enough (or too much) in cyber risk management?
This ValorrInsights intended to provide a translated, high-level guide for executives on business-focused cyber risk management.
For example, prioritizing activities effectively, making trade-offs and choosing cost-effective solutions, to name a few. This insight is not intended to be prescriptive, but instead, help you to recognize common risk management strategies, understand the options available to you and choose the best-fit based on the nature and scale of your organization.
“Cyber Risk Management must have a seat at the table when discussing any business strategy or company iniatiative. This risk area intersects and impacts every area of the business and should be treated as so.”
Cyber Threats Are Not Bound By Compliance Requirements
Compliance requirements in cyber risk management tend to give most leaders a false sense of security. On the surface, it makes perfect sense—the more boxes your organization can check on an industry-standard “compliance” list, the more “mature” it is. And the more closely aligned it is with the herd (your peers in the industry), the better off you should be from a risk perspective.
This reliance on relative measurements is a form of “implicit risk management,” i.e., more boxes/maturity/alignment implies less risk. The problem is that none of those measurements provide real insight into how much risk exists or how risk levels will change if this, that, or the other event takes place.
With the implicit risk management approach, it causes many questions to be unanswered: How does my organization take a risk-based approach to implementing gaps in controls or capabilities? How much does implementing that control reduce your risk of a cyber-attack? Are we expending our resources to the right security activities?
Using Quantitative Approaches to Prioritize Cyber Risk Mitigation
Every organization has resource constraints, which means managing risk cost-effectively is necessary in order to appropriately balance risk management with other business imperatives. However, because of the tendency to rely on relative risk measurements, most organizations don’t achieve this balance.
There are two dimensions that determine cost-efficacy in risk management:
- The ability to identify and focus on your most important risks (i.e., prioritization)
- The ability to understand the value proposition of risk mitigation projects and optimize your solution choices through cost-benefit analysis.
Organizations that are effective in both of these dimensions reduce the odds of painful surprises and wasted resources. With this in mind, it’s important to recognize the degree to which qualitative and quantitative measurements support these dimensions.
Organizations can make significant improvements in their ability to prioritize by avoiding or being proactive towards the issues mentioned above, even if still measuring risk qualitatively. This will only take them so far, however, because qualitative measurements are inherently so imprecise. For example, an organization might become very good at accurately putting risks into the right high/medium/low buckets, but they will not be able to differentiate risks within these buckets—i.e., they won’t know which “high risk” is highest.
Choosing Cost- Effective Solutions
Once you’re able to focus on your most important risks, the next step is being able to choose your most cost-effective solutions. This is where qualitative measures fall flat for two reasons. First, in many cases they are simply too imprecise to effectively reflect differences in the level of risk reduction from various solutions. Second, they don’t reflect risk reduction in meaningful business terms. Going from “high” to “medium” might sound and even feel good, but what does it actually mean? The diagram below provides a comparison between how far qualitative measurements can support cost-benefit analysis, versus quantitative measurements.
The bottom line is that improving your organization’s ability to measure risk qualitatively is a start toward managing risk cost-effectively. To become good at cost-effective risk management though, you need to leverage quantitative measurements. This enables you to understand how much less risk is likely to exist after a control is improved. It also allows you to understand how much more risk is likely to exist if a control is removed or loosened for business efficiency or cost-saving reasons.
A Roadmap For Success
Despite cultural and operational differences between industries and organizations, there appear to be some fundamental steps that consistently help to smooth the process of building quantitative risk management programs.
- Identify your pain points
- Socialize those pain points with the expected change
- Build or deploy a committee or group to address
- Train your people on the chosen mitigated action(s)
- Find ways to organize tactical (quick wins) and strategic (longer term) activities.
- Integrate new steps or activities into existing business processes, starting with the highest priority business processes.
- Host checkpoints and continually refine. Effective risk management, in any capacity, is a continuous improvement process.
If you have benefitted from these insights or have questions regarding how Valor helps leaders implement these principles, request a meeting with our team at your convenience.
- Measuring and Managing Information Risk: A FAIR Approach. (Jack Jones and Jack Freund). Available on amazon.com (http://amzn.to/2pXshsO) in both softcover and electronic form.