by Joshua Jaffe and Nisha Almoula*
Every day, we read new headlines about cybercrime or hear reports of a new data breach, and all data indicates that the number of hackers is growing. When one considers the exponential growth of data and network-connected sensors and combines this with the power of AI, automation, augmented reality, implantable medical devices, and autonomous vehicles – it becomes immediately clear that this problem must be put on a different trajectory.
Yet, even with cyberattacks increasing in frequency and the damages growing in terrifying complexity, it remains a challenge for organizations to know how to best prepare for and mitigate against these attacks. The problem is that organizations find it hard to balance cyber risks against their actions. Often, cyber risks are underestimated or misunderstood by organizations.
Investments in cyber are viewed as a tradeoff against investments in product R&D, employee welfare or shareholder returns. The truth, however, is that all these investments should be considered holistically. To that end, the World Economic Forum, and its partners, in collaboration with the NACD, ISA, and PwC, have published Principles for Board Governance of Cyber Risk to enable organizations to better manage and understand how to navigate the invisible ledger of cyber risks that continue to grow. A key principle in this guidance is that boards of directors must “understand the economic drivers and impact of cyber risk.”
As board members’ understanding of the economics of cyber risk evolves, they will be empowered to drive risk-based decisions and lead organizations to combat cyber events. According to a 2022 PwC survey, 42.5% of global organizations have stated they have made significant progress in increasing their assessment of the board’s understanding of cyber matters.
How can a cyber risk balance sheet offer protection?
Developing a cyber risk balance sheet is one “power move” that leaders can make to immediately improve their cyber risk decision making. The simple shift in risk thinking and corporate behavior aligns cyber hygiene with the existing corporate risk management machinery in a way that creates a deeper understanding, incentivizes smart investments, and rewards good behavior. The cyber risk balance sheet power move does this by making the invisible ledger of cyber risks visible.
If you are a board member, encourage your cyber leaders to task their teams with creating and quantifying a cyber risk balance sheet that documents the cyber events that could have a material impact on the organization in financial terms. The key steps in developing a cyber risk balance sheet are as follows:
-Define a cyber risk quantification framework customized to your organization’s risk profile. This can be developed leveraging Factor Analysis of Information Risk (FAIR), in conjunction with other industry guidelines such as NIST SP 800-53 and ISO 27005. FAIR leverages scenario modeling to support organizations in compiling various risk factors, identifying their correlation, and quantifying financial impact.
-Identify key cyber threats relevant to your organization and evaluate the probability of the threat, critical assets, and the effectiveness of cyber controls in place to mitigate against these threats.
-Consolidate a balance sheet that maps the probability of in scope cyber threats to cyber risks in financial terms and associated planned or existing cyber investments.
Once the balance sheet is complete, have periodic discussions and reviews where the financial cost of cyber risks serves as the framework to understanding and translating the inherent consequence of the bottom line. This ledger can be used to evaluate the efficacy of current security investments and demand that chief information security officers (CISO) explain their business case for new cyber investment in terms that show a positive ROI. For example, investment in a security control will cost $2.5 million over the next three years, but it buys down $7 million of cyber risk on the cyber risk balance sheet.
Key considerations when implementing a cyber risk balance sheet
-Hold your teams accountable to outcomes and demand a return on capital in the form of real risk reduction.
-Empower security leaders to challenge themselves to really get to know the business and create allies within the business units by helping them reduce the risk of a cyber catastrophe that may impact their bottom line.
-Embrace questions challenging the calculations and recognize that this is fostering engagement from business functions to help advocate for security.
-Encourage security leaders to validate the risk values by collaborating with the CFO or ERM teams to review and vet the aggregate risk entries and increase their investment in the outcomes.
Enhance collaboration across the CISO, chief technology officer (CTO), and chief information officer (CIO) functions by involving the CTO and CIO teams in providing feedback on the likelihood and impact analysis done for each cyber scenario to further iterate on the estimates and balance sheet data.
Once the balance sheet is developed, and there is agreement across the organization’s leaders on the numbers, the security team should continue to iterate on the sheet to incorporate additional scenarios and evaluate business cases for every investment in a cyber control. This framework will support the organization to demand better leverage from existing cyber investments as well as retire antiquated cyber capabilities that may have consumed valuable talent and capital past their usefulness.
Future-proofing your organization
This power move works within organizations due to its simplicity and instead of promoting fear, it invites an understanding through transparency of the existing cyber risk. It creates a framework for leaders to engage in the solution using a language they all understand – the language of business. According to a 2022 PwC survey, 76.5% of global organizations have stated they have made moderate to significant progress in increasing the number of business decisions that involved input from the enterprise security management team. Regardless of the industries and verticals in which an organization operates, all corporate officers take pride in the value they create and are cognizant of the threats to that value.
The cyber risk balance sheet promotes trust through transparency and a stronger partnership between security, technology, and revenue generating functions of the business by aligning the interests of the company with the people protecting it.
There are several risks businesses must combat and the risks in cyberspace are growing every day. But what is often true in the physical world is also true in cyberspace – knowledge brings power. The more boards know and understand about the cyber risks and economic impact to their businesses, the better they can manage them.
*Vice President Cyber Security, Dell Technologies and Cybersecurity, Risk and Regulatory Senior Manager, PwC
**first published in: www.weforum.org
By: N. Peter Kramer
