Home > Risk > Treating cyber as a business problem

Treating cyber as a business problem

September 23, 2018 Leave a comment Go to comments

This post is about wisdom on the one hand and thinking and practices that are less than wise on the other.

I was reading through a 2016 article in the online CSO magazine, CISOs bridge communication gap between technology and risk, when I found these:

Grant Thornton’s Chief Information Security Officer (CISO), said:

“…boards are starting to understand that security is another risk to an organization. It’s not really just an IT issue. The impact that cybersecurity incidents can have on the organization has put it in the same class as other risks to the organization because it can be just as damaging.”

The article also has:

“   at its core, security is an executive level business problem. [James Christensen, vice president of information risk management for Optiv says] “Five years ago that never would have been a part of the conversation, but now the more successful CSOs are doing this.”

Steven Grossman, vice president of strategy and enablement at Bay Dynamics says:

“The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos”.

He also says:

“I need to understand the business goals. I am speaking to them in terms that they are going to understand.”

 

This makes total sense to me.

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language. To me, that means talking about the potential effect on enterprise objectives.

How else does a CISO help leaders decide between investing in cyber protection, a new product, an acquisition, a marketing initiative, and so on?

 

Now let’s see what EY has to say in Understanding the cybersecurity threat, perspectives from the EY cybersecurity Board summit.

EY does well by citing the National Association of Corporate Directors’ five principles from their Cyber-Risk Oversight: Director’s Handbook series. The first principle is on the right lines:

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

I believe that it is not sufficient to talk about an “enterprise risk management issue”. We should be talking about managing the organization for success. Considering what might happen (risk) is part of how you set and then execute on objectives and strategies.

But apparently that this not how the delegates at the EY conference think.

The number two takeaway from the Summit is:

The board’s role is not cybersecurity risk management; it is cybersecurity risk oversight.

No.

The board’s role is to provide oversight of how management achieves objectives.

As I keep repeating:

It’s not about managing risk. It’s about managing the organization for success!

There will be times when the board should tell management to take the cyber risk because the monies it would take to reduce cyber risk further are better spent elsewhere, such as on new product development.

If we believe that cyber is a business risk, then let’s act like it is.

Find a way to assess and talk about cyber risk in a way that enables informed and intelligent decisions that weigh those and other business risks against the rewards for taking risk.

Work with operating management to understand how a breach might affect what they are doing and what they plan to do.

Help them make informed and intelligent strategic and tactical decisions.

I welcome your thoughts.

Advertisements
  1. September 24, 2018 at 12:41 AM

    Spot on. Amazing how many people think cyber is it’s own thing that deserves special treatment while these same people are not prepared to change how they make decisions

  2. September 24, 2018 at 2:33 AM

    Many people still think that IT related issues – in this case, potentially materializing cyber threats -are to be dealt with by IT folks and simply divert their attention from it, either from considering it second-rate or too boring to address. There are some signs that some firms are indeed changing and you’ve touched on some crucial topics in your article. Thanks again for your views on such an important manner.
    Regards

    Antonio
    http://riskmanagementguru.com

  3. September 24, 2018 at 4:53 AM

    The key phrase that needs a more detailed look at is “cybersecurity convergence”. This phrase connotes that transition that a company knows must take place across all enterprise functions and roles to understand the mission-critical threat that cyber crime and cyber warfare represent to achieving business objectives. The powerful combination of the NIST Cybersecurity Framework and the NIST Baldrige Cybersecurity Excellence Builder form a nice duo that, together, allow a company to get started on the journey to cyber convergence even though the phrase is never used in either one.

    • Norman Marks
      September 24, 2018 at 7:40 AM

      As I will explain in my upcoming book, the NIST guidance leads you to assess risk to critical information assets rather than enterprise objectives. That is not actionable information for leaders.

      • September 24, 2018 at 8:21 AM

        The NIST CSF may give you this risk-centric feeling and I agree. But when CSF is coupled with the NIST BCEB… the focus then shifts to the accomplishment of business objectives.

        The two frameworks work hand-in-glove to help organizations understand that a core set of cyber controls need to be implemented as a top business objective and as an enabler for all other business objectives.

        That’s why I believe that the phrase “Cyber Convergence” is so important. It brings the two worlds together (business objectives accomplishment and cyber risk) in a way that makes sense out of the extraordinary danger that cybercrime / warfare pose to business.

        • Norman Marks
          September 24, 2018 at 8:40 AM

          Thank you for sharing the BCEB. It looks useful. But there is still the problem that I mentioned before. If it identifies a need for an upgrade to cyber programs, how does leadership compare that need to the need for resources in product development, marketing, or elsewhere? Only by explaining the effect on enterprise objectives, or perhaps on a business initiative essential to achieving those objectives, can this be done.

  4. GSosbee
    September 24, 2018 at 5:10 AM

    Outside of the CEO, organizations still have a tendency to silo everything, and once siloed it is very difficult to break the silo. Cyber is no different from financial hedging as both tend to be siloed, but the actions in both have consequences for the enterprise and should be managed as such.

  1. September 23, 2018 at 9:38 PM
  2. September 25, 2018 at 11:44 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: