Achieving effective Cyber Resilience is a continuous process that requires collaboration across an entire organization in order to adequately assess, measure, and manage cyber-related operational risks. To achieve Cyber Resilience, the alignment of three key parties is essential: the CFO, CISO, and Risk Manager (referred to as the “committee” throughout this article).
The CFO’s concern is with capital allocation and optimizing return on investment. The CISO’s focus is preventing and mitigating technology-based operational disruption. The risk manager’s role is to understand the organization’s risk, and develop an action plan for those risks which includes making decisions around risk acceptance, avoidance, transfer, or mitigation. With three distinct disciplines and viewpoints coming together in pursuit of the common goal of Cyber Resilience, it’s important to create a meeting foundation that answers the question “what’s in it for me?” on an individual level as well as the greater organization.
Advanced Cybersecurity Visibility
The first and most important step to effective Cyber Resilience collaboration is to ensure everyone is operating from a common understanding of the problems being addressed and why those problems are important. The group can then collectively identify their operational exposures, evaluate their effectiveness at managing those exposures, target inadequately controlled exposures (deemed hazards), and pursue a risk decision.
The most common way of identifying and prioritizing exposures is via impact to revenue generation. The CFO should come to the table with a list of critical business functions and processes that impact revenue. The CISO should be able to match technology enablement against those revenue-generating functions. The Risk Manager should document these risks, have an understanding of risks outside of business disruption (i.e. reputational risk) and be able to discuss both first and third-party risks to critical business functions.
For each of the financial impact exposures identified, the committee should evaluate how those exposures are controlled and the effectiveness of those controls. The financial consequences of the events should be detailed, including the cost of the controls implementation process, revenue reduction during the recovery period, and any long lasting effects that could result from an incident. The goal of this phase is to understand the real-world financial ramifications associated with each possible loss exposure. That sets the stage for risk analysis and decision making. It is important to highlight any exposures that are inadequately controlled in accordance with the organization’s risk tolerance. These should be labeled as hazards and prioritized for risk decisions.
Now that exposures and controls have been identified and assessed, risk decision strategies can be implemented based on the organization’s risk tolerance to each exposure. The key risk-based decisions which need to be made are:
- whether to accept the risk as-is and take no other actions,
- avoid the risk altogether by ceasing operations or transitioning to alternative operations,
- transfer the risk through insurance, contract indemnification clauses, risk pooling strategies, etc., or,
- mitigate the risk by finding ways to reduce the exposure or improve the effectiveness of the controls.
The committee will need to collaboratively decide which risk decision is appropriate for each exposure, factoring in ease of implementation, cost associated with the decision, and the impact of the decision to organizational risk.
Questions to generate discussion:
- What are our critical operations and what are the potential causes of disruption?
- For each cause of disruption, what are the mitigation plans in place?
- What do we project revenue losses to be during the disruption and recovery phases?
- Are the projected losses acceptable to the organization?
- What do we need to do to bring losses to an acceptable level?
Actionable Cyber Hygiene
If the committee chooses risk mitigation as the path forward, it’s important that a common organizational lexicon is used to justify risk mitigation expense decisions. This lexicon is dollars and cents. Determining the best course of action to mitigate risk should involve in-depth cost benefit analysis. It’s rare that an organization has an endless pool of funds to invest in cybersecurity. Therefore, it’s imperative that funds invested in cyber risk mitigation efforts are maximized to have the greatest risk reduction impact for the lowest cost. There are multiple paths to promoting cyber hygiene, and each risk should be analyzed on a case-by-case basis. Whether the decision is to reduce exposure or invest in additional mitigation efforts (people, processes, or technology), achieving and maintaining a level of cyber hygiene that is congruent with your organization’s risk tolerance must be a collaborative committee endeavor.
Accountable Risk Transfer
Cyber insurance is a commonly deployed and widely accessible form of risk transfer. The committee may decide insurance is the appropriate risk management strategy to cover either a portion or the entirety of their operations. It’s important for the committee to understand the specific risks that need to be transferred to third parties to keep the organization adequately protected should an incident occur. This is especially true of organizations that have undergone significant operational changes including M&A activities, geographic expansions, or rapid growth/contraction.
Questions the committee should ask themselves:
- Does the insurance policy adequately cover the organization’s most critical risks?
- Will the insurance company meaningfully recognize any improvements I make to my risk posture?
- What happens to my insurance policy if my operations change throughout the policy period?
- Does the insurance company have any resources to assist my organization’s cyber risk management efforts beyond risk transfer?
A cyber resilience meeting needs to be collaborative with each stakeholder (finance, security, and risk management) bringing their unique viewpoints and motivations to the table in a supportive manner. This holistic approach to risk analysis and mitigation sets the foundation for the organization to pursue cyber resilience effectively for the long term.