1620s, “act of rebounding or springing back.” From Latin resiliens, “to rebound, recoil,” In physical sciences, the meaning “elasticity, power of returning to original shape after compression, etc.” by 1824. – Online Etymology Dictionary
The Risk Of Isolation
In the not too distant past, when capital flowed and postponing profitability was a badge of honor, finance teams transferred risk and security teams mitigated it – often in complete isolation. They didn’t align their objectives – nor were they motivated to do so. Afterall, times were good and nobody seemed to care.
Corporate and infrastructure cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks owing to economic uncertainty… Cybersecurity investment is not immune to overall budget cuts that could increase downside risk of attacks.
Due to severe financial headwinds, security budgets are now scrutinized and the value of insurance is brought into question. This too is done in isolation – which courts catastrophe. As budgets for security controls get cut, the likelihood of compromise grows. Similarly, as insurance investment shrinks, the likelihood of loss grows. One cost-cutting effort compounds the other.
The Need For Shared Objectives
When isolation of responsibility and financial duress meet, it naturally leads to cost cutting. The knife will be raised without an integrated view of the cost of risks to the organization being calculated. Leadership calls it risk acceptance. But can risks truly be accepted that haven’t been calculated? No. That’s nothing more than unstructured worry, as one praying to Fortuna (lady luck) hoping to avoid a bad day.
The good news is that you can structure and manage your worries. It requires finance and security to share, align, and prioritize strategic objectives. Those objectives consider how business opportunity and risk mitigation work together – particularly when under duress – and support making informed trade-offs when necessary. We call this alignment of objectives Cyber Resilience.
THE CALL TO CYBER RESILIENCE
To be successful in this digital economy, a company must now be Cyber Resilient – integrate its Risk Mitigation, Risk Acceptance, and Risk Transfer in a way that it can take a digital hit without it impacting its material ability to deliver value.
Or in other words, drive continuous improvement through continuous engagement across Risk, Cybersecurity, and Finance.
The Principles Of Cyber Resilience
Cyber Resilience tolerates losses – within limits.
This is different to most security strategies, which portray complete loss elimination as an end goal. Operating with shared, aligned, and prioritized objectives reveals what the business can tolerate to lose – without incurring operational disruption. For example, “With this configuration of controls, we can live with a 5% chance of losing $10 million and a 1% chance of losing $25 million…”
Cyber Resilience connects security with insurance – avoiding silos.
Security investments reduce the likelihood of loss. Insurance investments reduce impact. They work together (as opposed to in isolation) to keep risk within tolerance. That means they adjust both the probabilities and dollar-based impacts expressed above as important trade-offs are considered.
Cyber Resilience seeks capital efficiency – while preventing hazards.
Over or under investing in protection leads to distraction or worse. The former takes needed capital away from important business opportunities. The latter (negligence) threatens the business with outsized losses. Resilience optimizes return on controls and insurance so you can best keep risk within tolerance. The goal is to have a set of rank ordered strategies that satisfy your needs while avoiding the pitfall of moral hazard.
Cyber Resilience makes cybersecurity visible – so it can be managed.
Keeping risk within tolerance requires seeing what’s coming, counting the costs, and responding in kind. This starts with the integrated trio of threat intelligence, vulnerability management, and incident response. Security data is analyzed in relation to the financial losses your business may face. Losses include things like: data breach, business disruption, extortion, wire-fraud and more. Analysis leads to optimized decisions – decisions that cut across investment strategies and day-to-day security operations.
Cyber Resilience Incentivizes the right cyber hygiene behaviors – you’re creating the virtuous loop.
The Practices Of Cyber Resilience
If you want to be a cyber resilient leader, you need to embrace the principles of resilience and learn the following practices:
Cyber resilient leaders are resourceful and know how to make accurate measurements and judgements about important events that can affect key objectives. They are trained in forecasting and are able to prove their skills over time and against their peers.
Calculating Value at Risk
Cyber resilient leaders know how to accurately gauge the potential losses they face from several perils using rapid risk assessments.
Resilient Strategy Design
Cyber resilient leaders create strategies that minimize both the likelihood and impact of compromise. Strategies are economically efficient combinations of controls and insurance that keep risk within tolerance without introducing moral hazard.
Resilient Operations Measurement
Cyber resilient leaders know how to measure their operational strategies when put into action. Visibility coming from threat intelligence, the state of cyber hygiene, and value-at-risk is continuously analyzed. If risk tolerance is threatened, actions are taken to bring risk back within tolerance by adjusting security controls and insurance.
Cyber resilient leaders are trained to effectively quantify, qualify and communicate about cyber risks. They tell the money people and board what is needed and why (in economic terms) – and they have the operational data and analytics to defend their budgets when scrutinized.
Creating a new role around Director, Cyber Resilience
We believe that the principles and practices of cyber resilience necessitate a new leadership role. We are notionally calling it the Director, Cyber Resilience. It sits between finance, security and risk management. The role’s leveling is based on the dual strategic and operational nature of the job.
Strategically, the Director is responsible for developing a cyber resilient strategy. That is an executive function that collaborates across CFOS, Risk Managers, and CISOs.
Operationally, the job includes ample amounts of analytics to support decision making and alerting. Visibility coming in from security operations like threat intelligence, vulnerability management, and incident response is analyzed in relation to value exposure. Results from analytics are used to determine (and alert) if risk is out of tolerance.
Ultimately, the Director’s objective is keeping cyber risk within tolerance. They are accountable to governing that process. That means they work with the responsible organizations by doing the following:
- Advocating for cybersecurity capabilities that are economically efficient, target value at risk, and avoid moral hazard – all informed by continuous operations analysis and backed by a resilient strategy.
- Recommending changes to insurance limits and related coverage – helping to keep risk within tolerance in conjunction with recommended cybersecurity capabilities.
- Transferring and or mitigating risk that has been accumulated under the guise of “risk tolerance” that can lead to loss and the ensuing perception of moral hazard.
Risk leaders must make trade-offs. They must respond responsibly to economic headwinds. And they must react to the myriad threats created by digital transformation. A cyber resilient leader makes those tradeoffs without exacerbating loss nor incurring moral hazard. They operate from a set of principles that emphasize building economically efficient strategies. Efficiency maximizes return on security controls and insurance together – protecting the value the business puts at risk. In day-to-day practice, the resilient leader uses modern analytics fueled by increased cyber visibility – responding to risk that threatens to exceed business tolerance.
This is how the resilient principles and practices define “The Cyber Resilient Leader.” It’s a modern role for modern organizations – purposed to navigate trade-offs while staying resilient in the face of financial and digital duress.