What is your company’s appetite for cyber risk? Are you even aware of how much risk your company is taking?
To answer this question, you must first know how much and which types of risk you are willing to tolerate. In the broadest sense, your cyber risk appetite is your answer to the question, “How much cyber risk feels acceptable to me?” This is a tough question every business leader now faces.
The reflexive answer to this question is always “none”, but that is too simplistic.
The thoughtful answer is always “it depends,” because your tolerance for risk varies depending on how different cyber risks manifest, what they affect, and the resources involved.
The final answer is that risk appetite is nuanced and specific to your organization. Your statement of cyber risk appetite should capture the business risks that are unique to your culture, values, technology, operations, and adversaries.
Next, you must develop your appetite statement for cyber risk. We suggest five questions to holistically capture your landscape to build a cyber risk appetite.
Figure 1. Cyber Risk Appetite Engagement Methodology
1. What matters? Engage with your executives and business unit leaders to evaluate corporate values, objectives, and other business drivers as related to cybersecurity.
2. How do I protect what matters? Collect insights to understand current operations, networks and systems.
3. What is at risk? Conduct interviews and review historical issues to gain wisdom on risks and perspective as to why certain risks are considered.
4. How do I know? Connect your operational systems to ground risk management in a timely, data-driven reality. Normalizing your data against emotional responses is necessary to objectively evaluate cyber risk.
5. How much is enough? Working together, discover your appetite for cyber risk, and derive your risk tolerance and thresholds through a data-driven analysis.
Developing a cyber risk appetite statement requires both qualitative and quantitative components. The qualitative component is your gut check; this is the organization’s position on cyber risks. It should be concise and specific, reflecting your risk position and justification of value as to why this matters. Here is where you tightly integrate corporate values and objectives. The qualitative portion should also take into consideration your capacity for risk.
The quantitative side is where you use your existing tools and infrastructure to create a set of forward-looking cyber risk metrics. These metrics help to articulate your risk tolerance. Metrics should reflect your attitudes toward growth, risk, innovation, culture, and ultimately the actions you will take to reduce risk if you exceed your tolerance threshold.
Table 1. Components of a Cyber Risk Appetite
Once you have drafted the qualitative and quantitative components of a cyber risk appetite, you can develop specific key risk indicators (KRIs). These are forward-looking composite metrics that signal when core components of your appetite are in jeopardy – when your gut-check should have a stomach ache.
Creating your cyber risk appetite statement is not just an exercise, but a holistic program that encompasses multiple stakeholders beyond cybersecurity. Ideally this should not be led by the CISO, but by the Chief Risk Officer or an executive risk team with input from the CIO, CFO, and CISO. This team starts at the top and builds indicators looking downward, performing a gap analysis along the way. Frequently an organization finds they have all the data they need, but need to reframe or reconsider how to measure it.
Finally, once you have defined your cyber risk appetite and KRIs, you communicate it throughout the organization. You have a clear picture of what matters, objective indicators of risk, and timely data, and are prepared you to make informed risk-based decisions. Often more importantly, you should be able to answer the dreaded questions from regulators and the board: what is our risk appetite and how are we doing?
The core challenge of defining a risk appetite for cybersecurity is to get buy-in at the executive level. Increasingly, executives are required by regulation to sign off on a risk appetite statement – what matter – transferring responsibility for business-generated risks to the business units.
By following the collaborative process defined above, your organization can ensure that buy-in is baked-in, because stakeholders have:
- Helped you articulate the business value of information;
- Adopted this as a tool for establishing priorities on protecting information;
- Set performance expectations within the lines of business; and
- Communicated their expectations of the framework through their engagement.
This can only happen when you start with a cyber risk appetite that is developed by, approved by, and regularly reported to executive leadership.