By Shankar Bhaskaran, Managing Director, India, MetricStream
With the risk landscape getting more complex, Boards have realized that cyber risk can pose a significant operational threat to business. A Gartner survey of the Board of Directors in 2022 found that 88% of the respondents considered cybersecurity risk as a business risk. While it is encouraging to see Boards viewing cyber risk as business risk, the business leaders may not be involved in crucial cybersecurity decisions.
The Gartner report observes that business leaders in an organization are not accountable for the organization’s security. It is usually the IT leadership, mainly CISOs or CIOs that are responsible for cybersecurity. Yet, business leaders are making decisions every day. Many of those decisions can expose the organization to potential threats. Especially if they are made without consulting the CIO or CISOs.
Cybersecurity needs to be a business decision. This can only happen if accountability and decision- making become a shared responsibility within the organization. Here’s how organizations can manage cybersecurity as a business decision.
Enabling cyber-risk-appetite conversations
While managing cybersecurity, organizations are tasked with taking two major risk decisions – How much cyber risk is the organization willing to accept and, how will it achieve the desired levels of risk exposure?
These decisions should be made by business leaders. But not all business leaders may be technology-savvy. For example, they may not know how to evaluate risk exposure. CIOs and CISOs need to get involved to help non-technology stakeholders understand the business impact in terms of operational outcomes.
By deploying strong risk management programs CIOs and CISOs can help non-technology business leaders to understand their risk appetite better. By proactively identifying the risks that matter and, building robust controls around them, they can help them decide on measures that lead to greater resilience and better business performance.
Cyber risk quantification techniques and tools that help in communicating risk in a simple, easy-to-understand way, are useful when quantifying how much operational disruption the business is willing to accept, in monetary terms.
Risk quantification models such as Factor Analysis of Information Risk (FAIR TM ) can help organizations translate data risks into financial risks. FAIR is an international standard quantitative model for information security and operational risk assessment. It helps to understand, analyze, and quantify risk into financial impact and is a comprehensive approach to risk management that considers the the diverse and deep impact of security breaches and threats.
Setting operational thresholds based on risk appetite
Once business stakeholders calculate their risk appetite, technology risk leaders take the lead in articulating how to achieve residual risk levels within tolerable limits. CISOs do a lot of that translation themselves. They will need to find out where the risk is primarily coming from, that is study the root causes and sources of risk. They need to check if it is unsecure employee behavior, poor control hygiene, or anything else that is the leading indicator for risk, and what thresholds to set for them.
Technologies like enterprise risk management (ERM) software, can be used to measure and track key indicators for risks (KRIs), controls (KCIs), and performance (KPIs) and set operational thresholds. An integrated risk management approach powered by analytics and automation equips organizations with a clearer view and actionable insights into existing and future risks, making it easier to assess their impact on the business. Armed with this data, organizations can power through crises with agility and responsiveness, with the ability to make risk-aware decisions proactively.
Reporting back to senior stakeholders
Communication is an important aspect of cybersecurity as a business decision.
The Gartner report suggests using leading and lagging indicators in communicating adherence to risk appetite to senior stakeholders. For example, lagging indicators, such as hours lost in operations will help understand if the impact of cyber-related risks lies within or outside their tolerance range. Likewise, leading indicators can be used to communicate whether the chances of future loss are increasing, decreasing, or staying the same.
Technology leaders should be able to provide the business with a panoramic view of risks and trends that will help decision-makers respond faster to emerging risks or changing risk profiles. Making use of interactive executive dashboards and advanced visualization of key metrics allows access to real-time information on risk management systems across the organization. CISOs and CIOs should also go beyond the metrics and indicators to create a functional narrative to help business executives take informed decisions.
Ensure the business and its risk appetite are at the center of decision making
To sum it all up, managing cybersecurity as a business decision is possible if organizations put the business and its cyber-risk appetite at the center of decision-making. Deciding the risk appetite in terms of business impact, setting thresholds, and, communicating adherence are all crucial to the process.