Over the last five years, cyber risk management has become one of the top five organizational challenges facing organizations in all sectors, globally.1 Advances in information and computing technology have outpaced the capabilities of enterprise security protections. Understanding cyber risks is critical to the survival of enterprises in a globally linked marketplace. To tackle the gorilla, directors and executive leaders must consider their organization’s risk exposure and tolerance and use them to evaluate organizational processes. This evaluation requires consideration of the operational environment, understanding the impact that malicious activity can have on the business, knowledge of the present state, the available assets, the destination and the path, and the willingness to expend resources on continual drilling and practice.
Considerations Before Tackling Your Cyber Risk Gorilla
Former FBI Director, Robert Mueller stated eight years ago at the 2012 RSA Conference, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”2 This remains as true today; organizations mustn’t be naïve. Nefarious actors have or currently are accessing their networks. Publicity regarding high-profile data breaches and the recent expansion of data privacy regulations around the world has led to cyber resiliency becoming a reputation and brand image concern for organizational leaders. Detection and monitoring controls largely remain immature, leading to continual breach detection failures. Fear regarding the significance and duration of breaches prior to detection is a major leadership concern.
Threat Aware. Today’s threat landscape results from a digital environment that is ever-evolving. Without leveraging the information domain, organizations cannot achieve leverage in the marketspace. Organizational threat awareness is critical. Periodic assessments are important but should not be the sole means of identifying threats. Executive leadership must proactively seek information on organizational threat management programs to make informed decisions related to risk exposure and risk tolerance.
Focus on Adverse Business Outcomes. While organizations understand their critical assets (“crown jewels”), they often forget to focus on business outcomes during security risk assessments. Attention is paid to key applications, while security controls related to data sets are downloaded and then ignored. Executives must force IT leaders to holistically assess information security risks rather than throwing money at technology. In addition, strategic investment to create a winning combination requires focus on prioritized protection of critical assets, but not at the expense of maintenance and innovation.
Know the Game…Play to Win. As General Douglas MacArthur said “in war, there is no substitute for victory.” Make no mistake; we are in a war that is costing organizations and individuals worldwide to exceed more than six trillion dollars annually by 2021.3 That figure is greater than the Gross Domestic Product (GDP) of all but four countries in the world (U.S., China, Japan and Germany). Winning the war is feasible. Organizations must move beyond reliance on technology to deliver effective and sustainable protection against ever-changing threats to business operations. Winning is a combination of people, policy, procedures, protective tools inside the business, and awareness of the risks attendant to third-party vendors. It begins with determining: a) where we are now; b) what do we have to work with; c) where do we want to be; d) how do we get there?
Success Requires Preparation. Managing cybersecurity-related risks is not just managing threats and vulnerabilities; it is understanding organizational digitization. As companies leverage the value of information technology, more progress is needed to mature the performance of enterprise privacy and security capabilities. The executive team should ensure the organization’s cybersecurity systems, policies, and standard operating procedures are resilient enough to handle the operational environment and threats. Tabletop exercises are a start to preparation; however, simulations of likely attack activity should be performed periodically to address increasing attack sophistication. These simulations prepare organizations to detect and respond in a timely manner. The C-suite should focus on incident response planning to ensure that the company can respond and recover with minimal damage to business operations, image and brand recognition.
Recognizing the environment that organizations operate in, having an awareness of the threats, clarifying the adverse outcomes related to an attack or breach, understanding the field of play, and exercising the plan are the considerations necessary for tackling the gorilla. However, before the gorilla can be taken down the organization must further develop and understand of the C-Suite’s role in mitigating cyber risk.
Questions to Ask Regarding Your Organization’s Cyber Risk Gorilla:
- Have we identified our most important business outcomes, our crown jewels, anticipated risk exposure, and risk tolerance?
- Does a culture of cybersecurity emanate from the boardroom to the breakroom?
- What is the business impact of a major cyber-attack or breach?
- Does the organization understand their attack surface?
- What organizational vulnerabilities exist (e.g., hardware, software, systems, processes, policies, etc.)?
- How many, and what type of cyber incidents are detected in a normal week?
- Are the organization processes and incident response plans based on industry-recognized standards?
- How often are cyber incident responses tested?
- Is the workforce trained and prepared with proper policies and standards to mitigate threats and respond/recover from
- What metrics measure our cyber resilience? How are we going to measure those metrics? How will we report?
From these questions, the C-Suite can develop a basis upon which to work with IT and business stakeholders to define performance metrics for cyber resilience. An executive-level dashboard can help decision-makers maintain awareness of the organization’s posture and their ability to address threats. Often, executives ask “What do I measure or what should I measure?” An excellent resource to answer this question is former U.S. Federal Government Chief Information Security Officer Greg Touhill’s book, “Cybersecurity for Executives”.4 In his book, Mr. Touhill identified five “must measure” cybersecurity performance metrics that clarify organizational resiliency posture and inform decisions related to cyber risk.
Tackling Your Cyber Risk Gorilla —Leverage Touhill’s “Must Measure” Metrics
Metrics define whether the gorilla has been taken down, or at least knocked out of bounds, facing a fourth down and long. Executive leaders should understand that reliance on cyberspace brings with it an inherent risk sized like an 800-pound gorilla, and is evolving faster than organizations can keep up. Touhill states that cybersecurity is not just a technical issue; it is a business imperative. At its foundation, risk is the intersection of threats, vulnerabilities and assets. The field of information security focuses on mitigating potential loss of, or damage to, information assets. To tackle the gorilla, organizations must know where it is on the field. Touhill recommends measuring: 1) vulnerabilities; 2) process effectiveness; 3) people, processes and procedures; cybersecurity budgeting and spending; and 5) understanding how the organization stacks up by conducting an Industry-wide Comparison.
As cyber risk continues to challenge organizations, executive leadership and boardrooms must elevate cyber risk to the forefront of their business strategy. While progress is being made, practitioners at all levels still struggle to appropriately prioritize cyber risk within the overall business strategy. ISACA’s recent State of Cybersecurity Report states that only 69 percent of practitioners believe organizational leadership adequately prioritizes enterprise information security.5 Solutions exist, the organizational challenge is to look in the mirror, recognize the threat, focus on business outcomes, prepare to win, and play to win via a strategy that leverages existing benchmarks, frameworks and subject matter expertise.
- Touhill, G. & Touhill, C. (2014). Cybersecurity for Executives: A Practical Guide. Hoboken, NJ: John Wiley & Sons, Inc.