Business leaders spend most of their time conducting risk/reward analyses of virtually every decision they make. Will expanding the sales staff generate enough profit to more than pay for the added costs? Can our new product launch hit the market before the competitors shift their own strategies? Do we know enough about the geopolitical climate in a new market to justify the added costs and hassles in compliance and governance? Cybersecurity is another critical area where risk must be constantly assessed.
The risk of unanticipated service interruptions—not to mention the many direct and indirect costs of data loss—is substantial. Virtually everything an organization does today—from billing customers and creating marketing programs to answering police calls and ensuring the cleanliness of waterways—is digitized. Add in the new reality of entirely new classes of digital endpoints and you can see that hackers have more opportunity than ever to wreak havoc.
While the impact of those and other cybersecurity risks is undeniable, too many organizations fail to build their cybersecurity strategies and tactics around the concept—and realities—of risk. Why?
Compliance blurs organizational vision for cybersecurity
In recent years, the rapid, often relentless expansion of regulatory compliance for everything from identity protection to data governance has put many organizations back on their heels. As more compliance regulations—and harsher penalties for violations—pop up, business leaders and board members have understandably prioritized a simple cybersecurity rallying cry: Follow the rules. And that is necessary, of course. After all, the specter of non-compliance certainly represents a risk no business leader wants to take.
While regulations aim to broadly address cyber risk and ease the minds of governments and business stakeholders, they are generally not effective enough to protect companies from today’s threat actors. Cyber criminals are actively monitoring regulatory requirements and adjusting their tactics in real time. Leaders who rely on high compliance scores to manage their risk may be overlooking important gaps that are specific to their specific operating environment.
Defining cybersecurity risk and putting in place the correct resources, strategies, and guardrails needs a broader and more business-based perspective than defaulting to “we need to take this security step because it’s part of our (fill-in-the-blank) compliance protocol.” In many organizations– especially large enterprises that deal with a much more significant compliance footprint—the audit function often drives decisions on how, when, and where to spend cybersecurity dollars.
Most smaller organizations take a different, risk-centric approach to their cybersecurity strategies and tactics. Perhaps it’s because they don’t have quite as many compliance hoops to jump through; however, it’s likely due to the fact that they simply don’t have the budget or personnel to view every security issue through a compliance lens. In these smaller, leaner organizations the approach to cybersecurity is much more straightforward and, I believe, more appropriate for today’s increasingly complex landscape:
- Focus on where a security compromise can do the most harm to your organization
- Define the highest-risk areas
- Make reasoned, fact-based decisions on where to place your resources
Defining and measuring organizational risk
There is another important reason why many organizations don’t consistently use a risk-based methodology for their cybersecurity strategy: They often lack a common definition for risk and a common vocabulary to help everyone in the organization make risk-based cybersecurity decisions.
Most business leaders are familiar with the classic definition of risk: What is the likelihood of something happening and how bad would the impact be if it happened? It’s a definition that has worked for just about all other business scenarios, including the ones I covered at the beginning of this article. But to truly address risk, leaders must align on how likelihood and impact should be measured, and then agree on the appropriate risk tolerance of the organization so that policies and technologies can be applied to maintain a posture that keeps risk under the threshold.
In today’s digital-first environment, many business executives identify and measure risk differently—and there isn’t always universal agreement among leadership about how much of a risk appetite the organization has or should have. After all, every business stakeholder has a different risk threshold. If your CRM application is compromised, that’s a showstopper for anyone on the revenue side of the house, but it might not be perceived as critically by the team managing warehouse logistics (even though they are obviously related).
An important first step is establishing a common understanding around how to measure the impact of cybersecurity risk specifically. Before joining Chevron, I worked at a very small organization; we only had two in-house IT professionals and outsourced everything else. Because our company was growing exponentially, the company agreed that I needed to build a bigger in-house organization. I started out by asking my boss what he worried about most when it came to securing the company’s most important data. We struggled to have a productive discussion because he thought of IT solely in terms of uptime for applications and systems critical to operations. I realized that I needed to educate the company’s leadership around cybersecurity risk.
While this example focused on what happened at a typical small organization, it’s really not much different at larger ones. In fact, larger companies often substantially underestimate cybersecurity risk because they have no real understanding of where their data is stored or how many of their systems, processes, and “things” are connected to the internet, either directly or through cloud services. And they may overestimate risk because they are hyper-focused on the cost of operational disruption to their business, with little thought about the mitigating controls that exist to prevent the “worst-case scenario”. Establishing a logical method for identifying and ranking the top business impacts that could result from a cyber-attack is a good place to start.
The next step is to discuss likelihood which is when things get muddy. Discussions about cyber likelihood require a certain level of technical knowledge that is scarce in most companies. I have close friends and colleagues who study cyber-attack techniques, and I am frankly amazed at how easy it is for a patient and determined adversary to find the smallest crack in a technology’s security stack and exploit it. In today’s environment, business leaders simply must assume that compromise of anything connected to (or through) the internet is a possibility and any protection or detection capabilities that are in place will reduce, but not eliminate, that risk. The question is, once we have determined where our risks are, how much protection is “enough”?
One of the least scientific, yet highly visceral, approaches I like to take in talking to internal colleagues about risk tolerance is asking a simple question: “In your mind, when does system downtime or data loss go from inconvenient to painful?” It’s always interesting to note where business executives draw the line, such as, “I may get annoyed if our email system is unavailable for a few hours, but I can’t sleep at night if our supply chain management system is down for 10 minutes.” And beyond anecdotal inputs, there is also value in leveraging any prior decisions around business insurance, as most business leaders at least have thought about risk tolerance in terms of legal protection or inability to operate due to disaster scenarios. Metrics like “lost revenue per day” and insurance coverage amounts can help a technology leader understand the company’s tolerance for risk in general and then derive the cyber-related risk tolerance from there.
Get outside help to assess your cyber risk
While I’m not necessarily an advocate of outsourcing key IT functions, I am a huge proponent of using experienced and proven outside organizations to evaluate an organization’s risk exposure and its impact on the business. For a variety of reasons, organizations often struggle to account for every source of cybersecurity risk in their environment. Maybe they aren’t collaborative by nature and overlook the input of stakeholders from all corners of the enterprise, or maybe they just haven’t seen and felt the impact of a cyberattack “up close and personal,” so they have a hard time accounting for its impact or even its presence.
Having the guidance of a qualified third party is gold, when given the time and ability to dive deep enough into the details to fully understand your company’s risks. They lend a perspective that few internal organizations can match. The reality is that an outside opinion counts for a lot with C-suite executives and board members. After all, organizations routinely employ outside auditors to give their opinions on the accuracy and completeness of a company’s financial statements—it makes sense that this kind of assessment should be handled similarly.
Admittedly, I’m not going to tell you this kind of risk assessment outsourcing will be enthusiastically embraced by everyone in your organization. Line-of-business leaders often see these exercises as a waste of time, unconvinced that the likelihood of a cyber event is significant enough to warrant the effort. While this may feel like a narrow mindset, their perspectives are valuable to understand the true “worst case” scenario which may be limited by physical controls or manual overrides that reduce potential impact. Additionally, internal teams that are already familiar with the company’s cyber risks may feel that they are untrusted by management or undervalued when one of these external engagements is announced, but their honest input is critical to a successful evaluation and must be captured and amplified for executives so that appropriate funding and priority is applied to address known risks.
When framed correctly among all stakeholders, a qualified outside opinion can provide confidence, clarity, and consistency in identifying, assessing, and accounting for cybersecurity risk.
Assess risk with the vision of the possible
Finally, let’s keep in mind the need for something that may seem whimsical, but is essential to cold, hard decision-making: Imagination. Most of us have read about NASA’s Apollo 1 tragedy, where three astronauts died in a training exercise. A blue-ribbon commission was assembled to study the cause of the accident and to make recommendations to prevent future occurrences. Frank Borman, at that time one of the senior members of the astronaut corps and a member of the commission, was asked at a Congressional hearing his opinion why this tragedy took place. His succinct answer: “A failure of imagination.”
His point was well taken. Just because this kind of development had never occurred, considering the possibility of something that seemed so remote never entered the collective minds of NASA. Borman’s answer served as a rallying cry from that day forward—to not take anything for granted, however remote its chances or unprecedented it may have been.
In cybersecurity, being imaginative is a core competency to properly understand risk. I encourage you to push your imagination to its boundaries in identifying, evaluating, measuring, and minimizing risk.
Sherry Hunyadi is chief security architect at Chevron.