A proactive approach to cyber risk management
Watch this video from Korn Ferry.
What is important is that Korn Ferry is an organization that works with and advises boards and top executives.
They are right when they say that the CEO has to be proactively involved and that cyber is not an issue to be left to the techies, even the CIO, CTO, or CISO.
Let me repeat that: it is not an issue to be left to the CISO. The involvement of the entire leadership team is required to understand how a breach can affect the business and contrast that to other sources of risk.
They are right when they say cyber needs to be prioritized and treated the same way as any other risk.
But they don’t provide any practical guidance.
It is not sufficient to say that cyber risk is high, medium, or low.
The leaders of the organization need to be able to figure out what is the right level of resources to allocate to cyber defense and response; what is the right level of attention at board and executive committee level; and what should be communicated to shareholders and others.
It is important for practitioners and leaders to focus on the risk to the business, and not get hyped up by breach headlines or by eager consultants.
Resources and attention should be allocated commensurate with the potential for a cyber problem to affect the business.
Resources and attention should be allocated in priority relative to other sources of risk and opportunity.
But it is important to recognize that cyber is only one of several sources of risk to specific enterprise objectives.
Treating cyber risk in a silo (ignoring the need to consider the total level of risk and opportunity as leaders work to achieve objectives) is not going to result in the right decisions being made.
In Making Business Sense of Technology Risk, I point out the flaws in the siloed approach in the ISO, NIST, and FAIR standards. To be fair (pun intended) FAIR points out that even after the end product of their methodology is completed (a prioritized list of risks), a challenge remains in providing business leadership and the board with the information they need to understand how it all might affect success.
Rather than providing a prioritized list of high/medium/low risks, provide leadership with the information they need to make strategic and tactical business decisions.
Help them understand, within the context of competing demands for resources, what is the right level of investment, time, and so on they should make in cyber.
Help them understand when it makes sense to invest more and when it is right to take the risk.
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Dear Norman, personally I would think that BOD must set the criteria of how secured is the company’s ICT. Scale of 1 to 10 the later being USA Pentagon level of protection. Once this is established, then there is a basis to request for the investment to achieve the AGREED scale. Gary Lim
Gary, of what use is a 1-10 scale in terms of prioritizing cyber compared to other sources of business risk, such as being late to market with a new product, delays in deploying advanced automation, or competitor activities such as a price cut? The point of my post is that boards need better information so they can set the criteria – and not do so in a vacuum but considering the big picture.
Norman, the issue of vacuum does not arises because the Person In Charge PIC on IT must brief the Senior Management Team of any concerns on the IT system, if this hurdle is overcome then the next level is the BOD. IT is linked to almost all the activities within an organization, a cyber attack on the IT will definitely affect the launch of new products and surely automation process which is sub set of the organization IT. Scale if provided would not waste the time considering protections or procedures which is too extreme. The case you quoted on the remove the use of mobile handphone is an excellent example.
I fully agree. IT (broadly) can provide a set of supporting solutions – but cyber risk management affects the business well beyond IT (leak of confidential data, hacking, … the list is endless) and actions to be taken affect everyone in the organisation from frequent change of passwords to limiting what people can do using IT technology.
I know of a company where …
– Employees (at any level including the CEO) cannot download software to their PC’s themselves. All software used has to be vetted and rolled out through systematic IT processes. I know of software requests that have been turned down for security reasons
– When eg. product developers or engineers need to take photos of new products/parts/equipment or the like, they must use a digital camera and upload the images to the company servers – they cannot use their phones due to their auto up-link to the cloud whereby data are accessible outside the company firewall and processes
– Leaving computers unlocked will lead to reprimands, warnings and in repeat instances, dismissal from the company
– Employees are not allowed to comment on social media on company issues unless these have passed a “social media drivers licence”
Invasive … true, an so be it.
I love your views!
There is a point where being cyber risk averse hinders the company from success.
Last week, I was with a company in the NW. I asked the risk folk I was talking to if they wanted to reduce risk to so-called acceptable levels. If so, I would take their mobile phones from them. They realized that they need to be prepared to take the risk when outweighed by the benefits.
A fantastic illustration! Completely agree that too often the CISO or CIO is tasked with taking strategic decisions that should be reserved for the CEO in respect of Cyber and Technology risk- simply because they are the SME’s. Trying to be a suitable ‘interpreter’ in second line can prove a challenge (especially if not from a Technology background) but framing conversations with Risk Owners as how the risks may affect the achievement of BUSINESS objectives (rather than just the teams own) has really helped drive effective conversations at Board and Risk Committee level.