Directors and C-levels need to differentiate cyber risk management as a governance and management activity, on the same levels and finance risk management and health and safety risk management.
The rationale is quite simple: digital technologies are core to the capability to deliver, the supply chain also needs to be resilient, and there is a clear (and regulatory) expectation that confidential and private data is properly protected. Cyber risk governance and management must be recognised and implemented in all organisations. It’s time to stop the abdication, denial, usurpation or delegation of cyber risk away from Director and C-levels.
The accountability is at the owner/board level. Nowhere else.
First Step: The owner/board need visibility. Get an independent cyber risk “Insights Assessment” from Cybercraft (drop me a line).
The misconception of cyber risk and cybersecurity
One of the common issues I find at Director and C-level are the misconceptions surrounding cyber risk. The central problem is the perception that cyber risk is synonymous with cybersecurity (and I still hear the term “IT security” being used frequently at executive and board levels).
This misconception is unhappily propagated through several vectors, often aided and abetted by the Managed Service Provider sector and Vendors who are KPI’d on selling products. On the flip side, insurance providers are starting to help business execs understand that a cyber-insurance policy is but one part of cyber risk management, and that there is whole lot more to do to meet fiduciary obligations.
When it comes down to it, business success is based on one key factor: the capability to deliver reliably. And the business reputation is founded on this capability. Surrounding this is the ability to compete through transformations that bring efficiencies and effectiveness, and to be able to innovate and introduce disruptive methods and products. These are often a reflection of business agility. How quickly can the business can leverage digital technologies, and increasingly, monetise business and client data. However, the key element is reputation. Easy to lose; hard to repair. And cyber risk management is vital to the success of business delivery and protecting business reputation.
So I’m talking capability, delivery, reliability, agility, transformation, reputation. Business terms. Board terms. Not IT terms. Risks are identified and risk appetite is determined at board level, and then C-levels execute it. This is all ultimately underpinned by digital technology and data assets. Yet all too frequently, we see cyber risk accountability and responsibility of these assets abdicated, denied, usurped or simply delegated away from director and executive levels. All due to a misconception that cyber risk equals cybersecurity.
The indisputable fact is that the digital world has transformed business, and will continue to do so at increasing levels. We are highly mobile and interconnected, and our businesses now have a strong, if not critical, dependency the availability and reliability of digital technologies and data. Furthermore, we also have dependencies on our supply chain, and it’s capability to deliver and be reliable, and to protect after our data (and our client’s data).
Right now though, cyber is risk is largely governed and managed differently to other risk management, with little insight into cyber risk identification, business impact assessment, and on-going assurance. This needs to change.
Cyber Risk Analogies and Parallels
I love analogies and I’ve been using them for decades. They help bridge the technology divide with c-levels and directors to communicate the what, how and why of digital solutions in laymans terms. Parallels are very handy as well to help indicate a double standard that frequently applies to cyber risk (and cybersecurity). Lets take a look at a few analogies and parallels that help differentiate cyber risk and cybersecurity, and show that cyber risk is a business responsibility, not an IT responsibility.
Always an interesting parallel to explore at the CFO, CEO and board level; a number of concepts align here. In many instances the IT function reports to the finance function, and a number of double standards appear:
· Is there a difference between Financial Management and Accounting? Of course there is. Financial Management manages assets and liabilities of the business and plans for future growth (risk management), whilst Accounting is the recording and reporting of past financial transactions (cybersecurity). So why is cyber risk not managed the same way? The business delivery and reputation ultimately depends on it.
Would you let your CFO audit your accounts? Of course you wouldn’t. We see many prosecutions and millions of dollars lost every through theft and white-collar crime. So why would you let your Managed Service Provider or IT Manager audit their areas that they are responsible for delivering? An external cyber risk assessment is essential
Are financial risks being identified, or risks that constrain delivery or impact the ability to operate, reported to the board? Are financial KPIs determined and measured? Are risks that constrain delivery or impact the ability to operate reported? Of course they are. So why does this not apply to cyber risk governance and management?
Health and Safety is a great parallel to use for cyber risk as there are regulatory consequences, and laws are getting tougher in New Zealand (the impending Privacy Bill) and globally (GDPR, Notifiable Data Breaches). Good cyber risk management follows the same processes as health and safety, with consideration in particular for compliance with the Privacy Act 1993, as well as any sector related compliance (Lawyers and Conveyance Act 2008, as an example). The parallels with cyber risk include how the business engages with cyber risk, how risk are identified, how SLAs are determined, how measurements are established, and how monthly reviews are undertaken.
I find this analogy works exceedingly well and I present it regularly to a variety of audiences.
The situation is that you want to protect your home. You have an idea of what is needed (locks, latches, alarms etc) but you get an alarm professional in any case to cover any gaps. The professional helps determine the number of alarm sensors, type of alarm panel, and gets it monitored for you. Sound familiar? This is the home security equivalent of cybersecurity in the business place.
Cyber risk is far more insightful. Here is the approach that cyber risk would take to meet the requirement of protecting the home.
The first questions asked are what is actually in the home that you want to protect, and where are these items located?
Unique art? It’s irreplaceable. Maybe we want to have a higher level of security in that room?
Recovery? Maybe we’d like to capture intruder identity if there is a burglary or theft, so we have a better chance of recovering something stolen (it could be an inside job).
Jewellery? That can get left round that house, so maybe we need to agree to keep jewellery in one area so it doesn’t get lost and we can protect that better as well.
Insurance? Definitely. We’ll need contents insurance, high value item insurance, house insurance – goes without saying, right?
Compliance? Smoke alarms are mandatory now, have these been considered because human life may be endangered.
How often do we test the smoke alarms? Do we know they are working? When was the last time it was tested? All of them. Not just the kitchen one because we know that works when we burn the toast.
Children? Should be top of the list. Should we run home fire evacuation drills with children and make sure they know what to do in an emergency? Of course the fire service has been talking for decades about how important this is.
This is considerably different to the alarm expert. Considerations of asset importance, value, process and training are all outcomes of the risk identification process.
In my presentations, I have found that this home security analogy demonstrates that most of the audience have not thought about identifying the key assets in their home – their family and vulnerable children. This is completely overlooked in the protect the home equation, yet the most important to protect of all. The parallel of “home vs business” and “family vs data” in the cyber risk context is quite clear – businesses are not taking a cyber risk approach.
To conclude, Directors and C-levels need to differentiate cyber risk as a governance and management level activity, on the same levels as finance risk management and health and safety. The rationale is quite simple: digital technologies are core to the capability to deliver, the supply chain also needs to be resilient, and there is a clear expectation that confidential and private data is properly protected. Cyber risk governance and management must be recognised and implemented in all organisations
The accountability is at the board. Nowhere else.
Hopefully this article resonates with many people. The first step for any organisation is to get an independent cyber risk assessment to get to the board. Cybercraft offers a cyber risk “Insights Assessment” for the director and C-level audience that becomes the starting point for supporting cyber risk thinking. Drop me a line if you’d like to know more.