cyber resilience framework
Threatonomics

The Rise of The Cyber Resilient Leader

Navigating digital opportunity and loss while under duress

by Richard Seiersen , Cyber Resilience Strategic Advisor
Published

Resilience (n.)

  • 1620s, “act of rebounding or springing back.” From Latin resiliens, “to rebound, recoil,” In physical sciences, the meaning “elasticity, power of returning to original shape after compression, etc.” by 1824. – Online Etymology Dictionary

The Risk Of Isolation

In the not too distant past, when capital flowed and postponing profitability was a badge of honor, finance teams transferred risk and security teams mitigated it – often in complete isolation. They didn’t align their objectives – nor were they motivated to do so. After all, times were good and nobody seemed to care – until now.

“Corporate and infrastructure cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks owing to economic uncertainty… Cybersecurity investment is not immune to overall budget cuts that could increase downside risk of attacks” – Fitch Ratings

Due to severe financial headwinds, security budgets are now scrutinized and the value of insurance is brought into question. This is also done in isolation – which courts catastrophe. As budgets for security controls get cut, the likelihood of compromise grows. Similarly, as insurance investment shrinks, the likelihood of loss grows. One cost-cutting effort compounds the other.

The Need For Shared Objectives

When isolation of responsibility and financial duress meet, it naturally leads to cost cutting. The knife will be raised without an integrated view of the cost of risks to the organization being calculated. Leadership calls it risk acceptance. But can risks truly be accepted that haven’t been calculated? No. That’s nothing more than unstructured worry, as one praying to Fortuna (lady luck) hoping to avoid a bad day.

The good news is that you can structure and manage your worries. It requires finance and security to share, align, and prioritize strategic objectives. Those objectives consider how business opportunity and risk mitigation work together – particularly when under duress – and support making informed trade-offs when necessary. We call this alignment of objectives Cyber Resilience.

The Call To Cyber Resilience

To be successful in this digital economy, a company must now be Cyber Resilient and integrate its risk mitigation, risk acceptance, and risk transfer so it can take a hit without impacting its ability to deliver value. This requires operating from a core set of principles and practices that tear down the walls of isolated objectives, leading to an integrated and economically efficient approach to managing cyber risk.

The Five Principles Of Cyber Resilience

Cyber Resilience tolerates losses – within limits. This is different to most security strategies, which portray complete loss elimination as an end goal. Operating with shared, aligned, and prioritized objectives reveals what the business can tolerate to lose – without incurring operational disruption. For example, “With this configuration of controls, we can live with a 5% chance of losing $10 million and a 1% chance of losing $25 million…”

Cyber Resilience connects security with insurance – avoiding silos. Security investments reduce the likelihood of loss. Insurance investments reduce impact. They work together (as opposed to in isolation) to keep risk within tolerance. That means they consider both the probabilities and dollar-based impacts expressed above as important trade-offs.

Cyber Resilience seeks capital efficiency – while preventing hazards. Over or under investing in protection leads to distraction— or worse. The former takes needed capital away from important business opportunities. The latter (negligence) threatens the business with outsized losses. Resilience optimizes return on controls and insurance so you can keep risk within your tolerance. The goal is to have a set of rank-ordered strategies that satisfy your needs while avoiding the pitfall of moral hazard.

Cyber Resilience makes cybersecurity visible – so it can be managed. Keeping risk within tolerance requires seeing what’s coming, counting the costs, and responding in kind. This starts with the integrated trio of threat intelligence, vulnerability management, and incident response. Security data is analyzed in relation to the financial losses your business may face. Losses include things like: a data breach, business disruption, extortion, wire-fraud and more. Analysis leads to optimized decisions – decisions that cut across investment strategies and day-to-day security operations.

Cyber Resilience incentivizes cyber hygiene – by maximizing ROI. What is good cyber hygiene? It’s security controls that target the value at risk. It’s also controls that meet industry standards – thus avoiding the perception of moral hazard. Control acquisition and rollout is rank ordered based on return on investment (ROI). High ROI controls reduce the most loss at the lowest cost. Maximizing ROI allows for more controls spread across more risks – which leads to better cyber hygiene. As an added bonus, demonstrable cyber hygiene leads to better insurance terms.

The Practices Of Cyber Resilience

If you want to be a cyber resilient leader, you need to not only embrace the principles of cyber resilience – you must develop the following practices:

Risk Superforecasting: Cyber resilient leaders are trained (like bookies) in risk forecasting. They use their forecasting skills to make accurate measurements and judgements about important (and often uncertain) events that can affect key objectives.

Calculating Value at Risk: Cyber resilient leaders know how to accurately gauge the potential losses they face from threats. Using superforecasting skills they assess the probabilities that threats materialize, and then evaluate the range of losses that may occur to the value their businesses expose.

Resilient Strategy Design: Cyber resilient leaders create strategies that minimize both the likelihood and impact of compromise. Strategies are economically efficient combinations of controls and insurance that keep risk within tolerance without introducing moral hazard.

Resilient Operations Measurement: Cyber resilient leaders know how to measure their operational strategies when put into action. Visibility coming from threat intelligence, the state of cyber hygiene, and value-at-risk is continuously analyzed. If risk tolerance is threatened, actions are taken to bring risk back within tolerance by adjusting security controls and insurance.

Resilient Communications: Cyber resilient leaders are trained to effectively quantify, qualify and communicate about cyber risks. They tell the money people and board what is needed and why (in economic terms) – and they have the operational data and analytics to defend their budgets when scrutinized.

Creating a new role around Director, Cyber Resilience

We believe that the principles and practices of cyber resilience necessitate a new leadership role. We are notionally calling it the Director, Cyber Resilience. It sits between finance, security and risk management. The role’s leveling is based on the dual strategic and operational nature of the job.

Strategically, the Director is responsible for developing a cyber resilient strategy. That is an executive function that collaborates across CFOS, Risk Managers, and CISOs.

Operationally, the job includes ample amounts of analytics to support decision making and alerting. Visibility coming in from security operations like threat intelligence, vulnerability management, and incident response is analyzed in relation to value exposure. Results from analytics are used to determine (and alert) if risk is out of tolerance.

Ultimately, the Director’s objective is keeping cyber risk within tolerance. They are accountable to governing that process. That means they work with the responsible organizations by doing the following:

  • Advocating for cybersecurity capabilities that are economically efficient, target value at risk, and avoid moral hazard – all informed by continuous operations analysis and backed by a resilient strategy.
  • Recommending changes to insurance limits and related coverage – helping to keep risk within tolerance in conjunction with recommended cybersecurity capabilities.
  • Transferring and or mitigating risk that has been accumulated under the guise of “risk tolerance” that can lead to loss and the ensuing perception of moral hazard.

Conclusion

“Necessity, the mother of all inventions.” – Plato.

Risk leaders must make trade-offs. They must respond responsibly to economic headwinds. And they must react to the myriad threats created by digital transformation. A cyber resilient leader makes those tradeoffs without exacerbating loss nor incurring moral hazard. They operate from a set of principles that emphasize building economically efficient strategies. Efficiency maximizes return on security controls and insurance together – protecting the value the business puts at risk. In day-to-day practice, the resilient leader uses modern analytics fueled by increased cyber visibility – responding to risk that threatens to exceed business tolerance.

This is how the resilient principles and practices define “The Cyber Resilient Leader.” It’s a modern role for the modern organizations – purposed to navigate trade-offs while staying resilient in the face of financial and digital duress.

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]