The relationship between traditional risk management structures and information security or ‘cyber’ risk is one we at AKJ Associates have been interested in for a long time.
Risk modelling for cybersecurity is a particular challenge: because it is a relatively new field, it lacks the historical data available for other types of business risk, such as physical theft or natural disasters. Victims of cybercrime have also been reluctant to disclose specifics, with many attempting to avoid disclosure altogether, leading to the introduction of mandatory disclosure in certain industries and regions (such as the GDPR in Europe, and HIPAA in the US’s healthcare sector).
On top of all that, our world and its businesses are becoming increasingly digital, while cybercriminals are becoming increasingly organised and sophisticated. This means that the potential impact of a cyberattack and/or data breach has changed drastically in scale over the last few years – and, in all likelihood, will continue to do so.
Recent media coverage of high-profile cyberattacks has increased board-level awareness of cybersecurity’s importance. Looking just at disclosures from 2017-8, AP Moller-Maersk’s NotPetya damages were estimated at up to $300 million, while Equifax’s breach cost the company $439 million. Those numbers are enough to make any CFO – regardless of their typical engagement with cybersecurity – sit up and pay attention.
But faced with a lack of meaningful metrics for cyber risk, cybersecurity professionals who do not come from a risk background themselves may struggle to explain the potential business impact of a breach in terms non-technical management can understand.
And if they don’t understand a risk, it’s impossible for them to genuinely engage with it. Even if they’re willing to approve budget (which is in and of itself a challenge for many information security professionals), genuine investment in information security requires deeper commitment. That means measures such as increasing hiring, ensuring that information security is represented at the level of senior management, enforcing a strict information security policy throughout the company, and more.
AKJ’s research found that only one quarter of participants felt that the CISO’s strategic knowledge of operational risk was fully appreciated by the board. 16% reported that it wasn’t appreciated, with a further 19% ‘unsure’ – suggesting that at the very least, the board had failed to make clear its appreciation for the CISO’s input.
Responses showed a clear relationship between the board’s appreciation for the knowledge a CISO could contribute to risk management discussions, and the level of support the information security team received. Those who reported lower levels of board-level appreciation also reported smaller information security teams, and tended to report lower levels of board support – though the correlation was not exact, as can be seen in the accompanying chart.
Reported levels of board appreciation for the CISO’s risk knowledge were also observed to vary based on factors such as industry. Participants from banking/finance and from government were the most likely to report full appreciation.
These responses are disconcerting, particularly considering that our participant pool consists of attendees at high-level information security conferences.
However, comparing these findings with preliminary results from our European project shows that confidence in both board-level appreciation of CISOs’ risk knowledge and in sufficient board support are higher in the UAE. This is likely because of the rapid pace at which digital transformation has moved in the region.
For real cybersecurity to be achieved, more still needs to be done to convince businesses from the top-down to take information security seriously. Obtaining genuine board-level support, not just in terms of budget but in developing a mature security culture throughout the organisation, will require conveying translating ‘cyber’ risk into operational risk, in a way that non-technical executives at all levels are able to understand.
Until that becomes the case, cybersecurity professionals will struggle to defend company assets effectively from increasingly sophisticated threat actors.
