Misalignment between cyber risk and business risk is one of the biggest causes and symptoms, of misalignment between the CISO, the C-suite, and the board. Part of the issue is that many of the processes and tools currently used to measure and manage business risk were established long before cyber risk (or cyber anything) entered the picture. Further complicating matters is the often-siloed structure of security functions, many of which, consequently, have little exposure to other areas of the business—much less business risk—and vice versa.
But regardless of why this misalignment exists, it can be problematic. As I noted in a previous column, business risk is the possibility that a business will incur a loss due to uncertainties. And these include uncertainties related to cyber infrastructure. In other words, business risk isn’t separate from cyber risk—it encompasses cyber risk. This also means that managing business risk effectively is only possible when you account for, and are thus aligned with, cyber risk.
Here are some tips to help CISOs and other security practitioners achieve this alignment:
Evaluate and communicate cyber risk in business terms
Not only do business leaders without security backgrounds tend to be much less familiar with security terminology, but many are also unfamiliar with how security impacts the business and business risk.
Let’s consider, for instance, how a CISO might communicate the risk posed by an unpatched vulnerability to the rest of their security team. It might go something like this:
“Although the CVE has not yet been exploited in the wild, it is present in a critical system, could result in remote code execution, and has POC exploit code available. As a result, it must be highly prioritized and patched immediately.”
But if the CISO were to adjust this statement to help it resonate better with a business-oriented audience, such as the C-suite, they might say something like this:
“This vulnerability poses a significant risk to the confidentiality of our customers’ data. We can eliminate this risk by patching the vulnerability immediately. If we don’t, we will have to accept this risk and the fact that if customer data is compromised as a result, we will likely face significant financial losses related to reputational damage, eroded customer loyalty, and regulatory violations.”
Quantify what you can
Another unique challenge posed by cyber risk is that it’s notoriously difficult to quantify. Other types of business risk—ranging from fraud and compliance risks, to credit and operational risks, can and usually are tied to business losses within the risk assessment and management process. In fact, this process is often how C-suites and boards justify budgets and resource allocation across business functions. But while it can be easy to estimate the fraud losses a new anti-fraud control, for example, is likely to help reduce, the same can rarely be said for cyber risks and the myriad controls implemented to manage them.
There are far more unknowns in cybersecurity and far less historical data available to help risk analysts and security practitioners accurately estimate these unknowns. In response, CISOs are increasingly seeking out what limited historical data is available and looking to threat intelligence—and more specifically, business risk intelligence (BRI)—to better understand and anticipate the risks to which their organizations are most susceptible. Risk assessment frameworks are another useful resource. Certain newer iterations, such as the FAIR framework, are designed to help shed light on how these sorts of risks can be quantified more accurately.
Develop a risk appetite statement
The amount of risk a business is willing to accept in pursuit of its objectives is known as its risk appetite. Many businesses articulate this via a risk appetite statement, which is a concise document that outlines the types and amount of risk a business will and will not tolerate, and why, in the context of its operations and environment. Here’s a hypothetical example:
As a large retailer, we are exposed to a range of risks in pursuit of revenue targets, enhancing the efficiency of our operations, and fostering customer loyalty. Achieving these objectives requires accepting some risk. We have a low appetite for risks that could compromise critical assets, including intellectual property, sensitive data, and personnel. We have a medium appetite for reputational risks, and a high appetite for strategic risks that arise due to market competition or innovation. We strive to control all risks to at or below acceptable levels.
Many businesses, however, either don’t have a risk appetite statement, or they have one that was developed without input and guidance on cyber risk from the CISO.
In the absence of a risk appetite statement, the CISO can collaborate with the appropriate stakeholders—which usually include the rest of the C-suite, the board, and other senior-level leaders—to create such a statement that incorporates cyber risk. And if the business already has a statement that doesn’t account for cyber risk, the CISO can create a separate, but complementary, cyber risk appetite statement that aligns with business objectives.
The goal in both situations is, above all else, to contextualize the business’s cyber risks, cyber risk controls, and supporting data in a manner that resonates with stakeholders and decision-makers across the business.