Home > Risk > Risk-based cyber risk reporting

Risk-based cyber risk reporting

February 15, 2020 Leave a comment Go to comments

I encourage you to subscribe (free) to McKinsey’s frequent reports. Their latest, Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity has some good observations. Unfortunately, their ideas for addressing the problem don’t work for me.

Here are some excerpts I like:

  • …cyberrisk reporting at many companies is inadequate, failing to provide executives with the facts they need to make informed decisions about countermeasures.
  • Because of the information gaps, managers often apply a standard set of controls to all company assets. As a result, low-priority assets can be overprotected, while critical assets remain dangerously exposed.
  • In one survey, more than half of executive respondents said cybersecurity reporting was too technical for their purposes.
  • Cyberrisk reports were compiled by IT specialists for other IT specialists. As a result, the reports were very technical in nature and provided little to no guidance for executive decision making. Executives found that the reports did not help them interpret how cyberrisk is related to other risks the institution faces, such as legal or financial risks.
  • The reporting was structured by systems, servers, and applications rather than by business units, business processes, functions, countries, or legal entities.
  • The executives had no clear sense of the overall magnitude of the risk from cyberattacks, malware, and data leaks.
  • Cyberrisk managers found it difficult to decide on the areas of focus for cybersecurity investments or to justify their ultimate decisions to the board.

This is why I wrote Making Business Sense of Technology Risk.

The people running the business need to know how technology-related risk[1], especially (but not limited to cyber-related risk) might affect the achievement of their objectives. They need to know how to include it with other sources of risk and know where to spend scarce resources.

For example, should they budget an additional $1,000,000 to address what the CISO says are high risks, or should they spend that money to address trade compliance risk (which could result in their being shut down in an important region) or on a marketing campaign to drive revenue?

What if the cyber-related risk created by a new office appears to be acceptable, but when you realize that there are multiple new (non-cyber) risks that should also be considered, the right decision is to delay opening the office?

By the way, this last point illustrates one of the problems with the concept of risk appetite as promoted by COSO and others. In the last example, cyber-related risk is deemed to be acceptable. Let’s say there are potential customer relationship, compliance, and financial reporting issues as well. Each individually may be acceptable, but when management looks at the big picture (which requires that the information on each is not only comparable but can be aggregated in some way – I prefer based on their individual and cumulative effect on specific objectives), they decide the total potential downside is not justified by the potential upside.

My point is that all assessments of what might happen (aka risk) should be made based on how the achievement of business objectives might be affected. (This is discussed in detail in the book, far more than I can put in a blog post.)

But McKinsey falls into the same trap as some of the standards written by techies for techies (in other words, not written for leaders of the organization; not written to provide decision-makers with the information they need to make informed and intelligent business decisions. In fact, I have yet to see a standard or other guidance that tells you to ask them what they need).

Here are some excerpts (my highlights), where they go astray:

  • Make the cyberrisk status of the institution’s most valuable assets fully transparent, with data on the most dangerous threats and most important defenses assembled in a way that’s accessible and comprehensible for nonspecialists. [ndm: the last point is good, but the focus is on information assets instead of on enterprise objectives.]
  • Provide decision makers with a risk-based overview of the institution so they can focus their cybersecurity investments on protecting the most valuable assets from the most dangerous threats. [ndm: protect the business and its objectives, not just information assets.]
  • The company subjected only its most critical, most vulnerable assets (class one) to the full arsenal of controls—from multifactor user authentication to deleting, after 24 hours, the accounts of anyone who left the company. By contrast, it applied only basic controls to the least critical assets.

McKinsey follows this up with a heat map! Of course, it is going to be interesting information for techies, but fails to relate how any incident (or series of incidents) might affect the business and its objectives. There’s no way this information can be added to other sources of risk to help leaders make sound business decisions.

McKinsey rails about techies developing reports for techies and then does the same thing.

Instead, figure out what leaders need to know about cyber-related risk if they are to make informed and intelligent decisions?

  • Should they invest in cyber vs marketing?
  • Should they proceed with opening that new office?
  • How likely is it that a breach would seriously impair the achievement of enterprise objectives – including how it would affect the metrics on which the analysts rate the company and the board determines their bonuses?

I welcome your thoughts.

[1] I hate to use the 4-letter ‘r’ word, but am doing so to help people understand this particular issue.

  1. Roger Estall
    February 15, 2020 at 11:49 AM

    Interesting observations thanks Norman but with the potential for sounding like a cracked record, isn’t it the very fact that they have used the ‘r’ word that explains the fundamental difference between what you are saying and what they are saying.
    You and McKinsey are labelling different ideas with the ‘r’ word. Who knows who is right but imagine if they hadn’t used it, they would have had to use plain words which would have identified that their article was about cyber technology [in itself, arguably, another bit of jargon] and you would have used plain words to say that from an organisational point of view, it is the overlay of the characteristics (and any weaknesses) of the technology, and reporting on thereof, on achieving the organisation’s purpose that matters. More likely, however, if they had NOT used the ‘r’ word they would have realised the very issues that you are raising.
    And this is the single greatest problem with the ‘r’ label. It obscures rather than enlightens.

  2. February 17, 2020 at 12:41 AM

    The or one of the problems is that cyber security starts with IT and IT language. Every firewall at the gate of the internet receives maybe up to a million hits a day. But that number says nothing when an attacker is able to pass by.
    Also security is build by layers. They should protect both high and low value assets. If they don’t, attackers will use the less protected low value assets to go from there to the high value assets. See the number of succesfull phishing attacks through 1FA protected webmail where high value assets are protected by 2FA.
    You need to think in attack surface and access paths next to threats and vulnerabilities when dealing with cyber risk.

  3. Madina Bazarova
    February 17, 2020 at 1:57 AM

    I agree with Norman, very often cyber risks are considered as IT realm and therefore to be dealt with by IT specialists/departments while all the examples of successful cyber attacks point to them having severe business impact. Another factor here I think is perhaps lack of understanding/expertise of cyber risks at a Board level to drive the ownership of cyber related risks by management.

  4. Saad
    February 18, 2020 at 9:20 AM

    Assigning risk appetite/favorable risk is an ongoing task.

    • Norman Marks
      February 18, 2020 at 9:21 AM

      For what purpose? Its not a great tool

  1. February 18, 2020 at 3:51 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: