Not long ago, companies prepared for cyber risks the way they might for a hurricane, flood, or other disaster situation: Brace for the worst, and hope for the best. Those days are over. Security breaches across industries have put cyber squarely on everybody’s risk agenda.
But while they’re taking cyber threats seriously, many companies are struggling to find the right balance in their approach. The moves they’re making to get ahead in the marketplace—globalization, mergers and acquisitions, extension of third-party networks, movement to the cloud—are the same tactics that create cyber risk. What organizations need to do is define the level of cyber risk they’re willing to accept in the context of their overall risk appetites.
Defining Cyber Risk Appetite
The first thing organizations need to do is broaden their definition of cyber risk and understand how much risk they’re willing to take. Ultimately, cyber risk is the potential of loss or harm related to technical infrastructure or the use of technology within an organization. And an organization’s cyber risk appetite is the level of tolerance that organization has for risk. Companies should be concerned about more than attacks on their actual information systems. Deliberate, malicious hacks aimed at compromising sensitive information are a huge problem—but so is user error that takes systems offline. Risk events can come from sources inside the organization, such as employees or contractors, as well as outside. They can be targeted, malicious attacks, or they can be unintentional.
There’s also a need to look differently at who is a source of cyber risk and who should be responsible for protecting against it. Everyone’s a potential source: software engineers that ship new releases, HR teams that use human capital management software, and supply chain partners that have access to systems, all of which could be exploited. Employees who overshare on social media or forget to log out at the end of the day open doors to information thieves. To fully determine an organization’s cyber risk appetite, more groups need to be involved in the conversation—including IT, business teams, and the general population that uses the company’s systems.
Key stakeholders need to ask and be asked the right questions. What losses would be catastrophic? What can we live without, and for how long? What information absolutely cannot fall into the wrong hands or be made public? And what could cause personal harm to employees, customers, partners, or visitors?
The most important question companies wrestle with in assessing their cyber risk appetite is whether their security investments will pay off. Organizations need to develop the ability to demonstrate that the investments they are making are aligned with the actual risks they face. They have to ask if they are making the appropriate investments in security, vigilance, and resilience, and whether those decisions are based not only on a realistic understanding of the specific risks their organization faces, but on the magnitude of impact that a cyberattack could have. Managing cyber risk is more than a cost to the business—it’s a positive investment to enable the success of strategic growth and performance initiatives.
Where to Start?
Which applications, databases, systems, and information sources should they concentrate on? A good rule of thumb is to start with mission-critical systems, then move on to core infrastructure and the extended ecosystem, and wrap up with external, public-facing systems. While it may seem counter-intuitive to prioritize internal systems as the critical area of focus, it’s important to prioritize what could cause the most damage if risk is not appropriately managed. Mission-critical and business-critical systems, if affected, could halt the business entirely.
Organizations need to determine what cyber risks they’re willing to tolerate, what they’re willing to spend, and how they can respond to cyber threats. Defining their cyber risk appetite sets the process in motion. It creates boundaries for organizations to prioritize which risks need to be treated. Chief executives, chief information security officers, and chief risk officers need to create the framework and share it throughout the organization. Then it becomes the whole organization’s responsibility to evaluate and re-evaluate its cyber risk appetite on an ongoing basis.
Following this process, organizations can make more informed decisions and create action plans to deal with cyber risk. They can accomplish a great deal, but it can’t all be done at once. They need to start with a smaller set of use cases and integrate new use cases over time, making risk management a more integral part of their overall strategy.
Companies that manage their cyber risk appetites will be in better shape to succeed in today’s marketplace. Companies that do not will expose their organizations to risks with potentially serious implications.