Cyber security and the board
In December, I will be presenting on the topic of how much an organization should spend to address its cyber risk.
So, every publication on the topic is getting a little more attention from me than usual.
A software vendor (a new one for me), Delta Risk, recently published a white paper aimed at helping boards address the issue of cyber.
Cyber Security and the Board of Directors (registration required) focuses on financial services organizations.
That is an important point to make because the risk of damage from a cyber breach is generally high for financial services organizations. It is not always as high when it comes to manufacturing, for example.
While I respect the professionals who wrote this paper, I don’t agree with all their points.
For example, they say that the board and its members should be educated on cyber.
That sounds logical, but is it?
Should the board have a greater level of technical knowledge when it comes to cyber than the CEO, CFO, or COO?
Can the board, even if a member has cyber expertise and experience, possibly stay up-to-date?
Isn’t it better by far to obtain assurance that the issues surrounding cyber are being addressed?
- The top executives are engaged and have a sufficient understanding to make sensible business decisions around cyber
- Those responsible for information security have the experience, tools, resources, and so on they need to manage the risk at acceptable levels
Delta then suggests that cyber security be incorporated into the Risk Appetite Framework. They get it mostly right when they say:
The [Risk Appetite] Statement should broadly identify the information that is most valuable to the organization based on business considerations; legal and compliance requirements; the financial impact of denial, disclosure, loss, or other exploitation of that information; and other factors.
Risk needs to be expressed in terms of the potential for a breach to affect the achievement of the enterprise’s objectives. Understanding the information assets necessary to support the achievement of objectives is part of the journey, but not the entire journey.
Delta fails when they continue:
Corollary to identifying the information with the most business value is clarifying expectations on how this data is to be protected. Broad statements can be applied here such as “This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight.”
That statement says and means nothing.
Is management willing to spend every penny of revenue on security controls and operational insight? Of course not!
The next paragraph is:
The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., “…On-line banking is available to our customers 99.9 percent of time throughout the year.”) or other business services may be appropriate.
Risk practitioners know that the statement is missing an expression of likelihood.
The statement as shown is an objective. How much risk to that objective is acceptable?
In this environment, where we know for a fact that we cannot provide 100% assurance that a breach can be prevented let alone detected on a timely basis, are we willing to accept a 5% likelihood that a hacker will disrupt the business? How about a 10% likelihood?
Delta is not the only firm that talks about establishing cyber metrics. While it can be useful to monitor completion of policies and procedures, training and so on, how do you measure the ability to detect a breach?
You can have world-class cyber programs and suffer a breach while the negligent competitor down the road escapes.
I don’t find this section useful.
I think it would be better to ask management:
“How do you know whether your information security program is effective? How do you measure it?”
The paper has a section on the very important topic of integrating cyber into enterprise risk management.
But I would do it differently.
We are talking about risks to objectives so we need to consider the effect of all risks on each objective.
Integration is not simply adding cyber to the risk register.
Integration is achieved when business decisions are made with due consideration of all risks, including cyber.
So, how much should an organization spend on cyber?
My general theme will be:
- This is a business decision
- Understand the level of risk to the enterprise and its business objectives
- What is an acceptable level of business risk? Consider compliance requirements and the cost of non-compliance
- What are the options?
- How much will spending affect the level of risk? Is there a return on additional investment?
- Is there an option that makes more sense than others?
- Monitor and review very frequently, as risks change at blazing speed
By the way, a recent piece in SC Magazine included a useful quote about organizations that seek only to meet regulatory requirements:
Think about [cybersecurity] divorced from the regulatory landscape,” said David Glockner, regional director at the U.S. Securities and Exchange Commission’s Chicago Regional Office, which has its own set of guidelines for publicly traded companies. Rather, “Think about it from a business perspective: What is your most sensitive information? What are your most sensitive operations and what vulnerabilities do you have? And thinking about how you protect what’s critical to your business operation in most instances is going to get you most, if not all of the way, toward being… compliant.”