Home > Risk > How can you explain cyber risk to the board?

How can you explain cyber risk to the board?

Two recent pieces attempt to help with this question:

Reporting Business Risk to the Board of Directors is an interview with the former chair of RSA Security, Art Coviello, a recognized expert on cybersecurity who has served as an advisor to government agencies.

The other is Raising cyber risk to the enterprise level by Elizabeth Case, Managing Director of Marsh’s US Cyber Practice.

They both have some useful things to say, but I doubt they will help board members understand the level of risk and what they need to do about it. The latter is the big question.

Coviello tells us:

Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board. They can, but the burden, in large part, is going to be on them.

The answer, which Coviello attempts in vain to explain, is to discuss the risk in business terms. Yes, it is a business risk. But the way Coviello talks about it doesn’t work for me.

He asks:

What are the risks to your assets? What is the risk to your operations? What is the risk to your good name? What is the risk to your revenue attainment?

Sorry, but that’s not enough and his “best practices” don’t help.

Case sets the stage in similar fashion, saying:

Board members and C-suite executives, although not typically experts in technology, must take ownership of cyber risk, working in concert with critical organisational stakeholders, such as finance, legal, human resources, risk and information technology/security managers.

She also points out that according to a recent Marsh survey:

…only 19 per cent of corporate executives say they are highly confident in their company’s ability to prevent and respond successfully to a cyber event.

Case continues:

Another notable conclusion from the survey is that high quality information about how an organisation is assessing and managing its cyber risk, which is necessary for effective cyber risk management, is generally lacking at the executive level. That gap exists both in the flow of information – the volume and distribution of data to the board level – as well as in the form that information takes – the language used to express and measure cyber risk exposure. Too often, data about a firm’s cyber risk and mitigation efforts is communicated across the organisation in technical terminology that can be challenging for non-technical experts. Instead, cyber risk measurement should be framed in economic terms – the lingua franca of business.

Economic quantification enables cyber risk to be measured, expressed and understood in the common language of business and boardrooms. It shifts boardroom conversation of cyber risk from a technical discussion of threat vectors and system vulnerabilities to a data-driven analysis focussed on optimising a firm’s cyber capital allocation and reducing its total cost of risk. A quantified measurement of cyber risk also helps inform decision-making around cyber risk investments – technical mitigation and risk transfer – and allows for evaluation of the risk reduction return on investment. With hard numbers in hand, corporate leaders can consider how much to invest in cybersecurity, how much risk to transfer via insurance and how much risk the firm is willing to retain.

Many will agree with her that:

…cyber risk should be measured and expressed quantitatively to provide an objective assessment of the value at risk and allow for measurement of the return on the firm’s cyber investment – and for comprehension by key stakeholders.

This may work for some, but not for me. I like much simpler methods. How am I supposed to know that one number is OK and another is not? I want to understand the potential effect of a breach on my company’s success.

Finally, Case provides us with a list of questions for board members to ask of management. I think they are useful and recommend their consideration.

But as a board member I would want to know simple answers to some simple questions, such as:

How could a ransomware attack hurt us? What damage could be caused and for how long?

That would be followed by:

Is that the worst case?

How would it affect our earnings and other business objectives?

How likely is it?

Is that a risk we should take? If not, why not and can we do something about it that makes business sense – can we reduce the potential effect and/or duration at a reasonable cost?

Are there other possible levels of impact? Do we need to address them as well?

If we invest more to address this risk, what other investments are affected?

What happens if hackers find a new way to penetrate our systems?

I would ask similar questions about other effects on the business, such as:

What damage would be caused if a hacker stole our intellectual property?

How likely is that?

…and so on

Could a breach cause other damage to our business? If so, how severe could it and for how long?

How likely is that?

…etc.

My approach is to consider the potential effects on the business and its objectives, which should be expressed as a range of effects, then ask about the likelihood of those effects. I then ask whether that is acceptable or not, and why I am given that answer. After that, I want to know what we should be doing and whether any further investment in cyber would affect other projects and initiatives.

Frankly, I don’t understand “quantification” of risk. A number says nothing to me when I am trying to make informed and intelligent business decisions.

I want to know whether the current situation, and what might happen in the future, is acceptable or not, why – and what we should be doing about it.

I welcome your thoughts.

  1. Osama Salah
    January 3, 2022 at 8:12 AM

    In regards to:
    Frankly, I don’t understand “quantification” of risk. A number says nothing to me when I am trying to make informed and intelligent business decisions.

    Quantification isn’t a single number, it’s a story told using distributions.
    It either answers questions you have raised directly or feeds into the answer, such as:

    1. How could a ransomware attack hurt us? What damage could be caused? –> You quantify the losses (ranges, distributions) and categorize them (productivity, fines, replacement, response, market share …)
    2. Is that the worst case? -> probability distributions, whatever the board is interested in. worst case, best case, most likely, 90% probability etc.
    3. How would it affect our earnings? –> quantification in $ facilitates modeling impact on earning
    4. How likely is it? –> probability distributions
    5. Is that a risk we should take? If not, why not and can we do something about it that makes business sense – can we reduce the potential effect and/or duration at a reasonable cost? –> allows comparisons, aggregation
    6. If we invest more to address this risk, what other investments are affected? –> allows comparisons, aggregation

    • Norman Marks
      January 3, 2022 at 8:25 AM

      Osama, thank you for your reply. Sorry. I understand what you are saying but this technical representation of cyber risk doesn’t help me answer questions like #5, should we take the risk, because it only considers one side and a number is not meaningful.

      It reminds me of the question in Hitch Hikers’ Guide: what is the meaning of life? The answer is 42. What does 42 mean?

      • January 3, 2022 at 9:23 AM

        Norman, you didn’t add that the quest to answer ‘What does 42 mean?’ spawned a large number of consultants.

      • Osama Salah
        January 3, 2022 at 11:01 AM

        I was surprised by your questions, but I think I understand now what you mean.
        I see the numbers as the tools to support decision-making. They are like documentation of the rationale but the board should be told a simple story and we use the numbers as a backup to explain how we got there (if questioned).

        • Norman Marks
          January 3, 2022 at 1:51 PM

          The numbers only work if ALL the numbers are present for the decision. A number for the potential harm is only useful if it can be compared to the numbers for benefits – and even then the business decision can be hard.

          • January 17, 2022 at 3:12 AM

            Yes, I agree with you about the quantification of risks. In France, it is a usual question of board when CRO present their risks mapping. However, it seems to me that is a source of error. In reality, data are often incomplete or false. Numbers and financial evaluations are maybe comforting for boards, because they have illusion to have an objective description and a deep work. It is a dream, numbers are false friends, there is also a part of subjectivity for their interpretation. Unfortunately, it is a recurrent question and sometimes it seems to be a guarantee of reliability for risks analysis.

  2. January 14, 2022 at 3:14 PM

    graet

    • Norman Marks
      January 14, 2022 at 4:44 PM

      I hope that’s great rather than grate

  1. January 3, 2022 at 8:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: