Helping the C-Suite Assess Cyberrisk

Patrick Dennis


October 1, 2015

cyber risk c-suite

Given the scope of technological advances, businesses today need to be fully aware of cyberrisks as they pursue opportunities. It is no longer acceptable to leave these risks uncalculated, uncontemplated or uncommunicated.

The real threat, likelihood and impact of these risks must be visible all the way up to the board of directors. Assessing and communicating cyberrisks should be no different than assessing and communicating the other risks a company faces and reports on each quarter. It is easy for executives to be confused about cyberrisk, however, if their only exposures are sensationalized media reports or the scare tactics commonly used by technology suppliers. These combine to portray a small, not necessarily representative slice of the cyberrisks corporations face.

Executive involvement is critical in order to develop a mature strategy to address cyber risk across the entire organization. These five steps can help company executives more effectively assess and communicate cyberrisks:

1. Educate without anecdote. The first step in maturing an organization’s management of cyberrisks is educating the executive team. The constant stream of high-profile cybercrime and hacking news makes for good television, but is rarely representative of the risks a company is most likely to face. It is important to ground the executive team in the full spectrum of cyberrisks, including less sensational but more likely exposures, like lost backup tapes.

It is critical for the executive team to get a representative baseline education focused on the company’s exposures. Ideally, this involves IT working in conjunction with the company’s risk managers as part of the formal risk management process. It is also important to remember that the board of directors is often required to participate in continuing education on topics such as cyberrisk under corporate governance guidelines.

2. Collaborate with the knowledge that cyberrisk is everyone’s responsibility. Once the baseline education is complete, it is much easier to engage the company more broadly in cyberrisk initiatives. It is important to quickly establish that cyber risk management is a company-wide responsibility, not just the responsibility of the information technology or information security division. Executives cannot expect the chief information officer or chief information security officer to manage these risks alone. More to the point, business unit executives are best positioned to decide if pursuing specific opportunities is worth the associated risks. Collaboration between the executive team on cyberrisk issues builds risk awareness into the organization at large. Managing these risks requires ongoing checkpoints for key stakeholders in every organization and, ultimately, the board.

When the executive team leads from the front, it sets the tone for the rest of the organization. Security awareness training, strong password standards and encryption are all more impactful when everyone understands their importance. While companies cannot count on these measures alone to mitigate cyberrisks, they are meaningful ways to keep these considerations in the mind of employees.

3. Locate your assets. Every adversary, both internal and external, is interested in company data. Targeted information can range from intellectual property to personally identifiable information, but in any case, there are two important considerations. First, a company has to know what information is considered an asset (such as intellectual property or regulated data) and where that information and all copies are stored. Second, the company needs to make sure that the information owners know they are protecting a company asset.

The company can start this process by asking the IT security team to locate all the information the business has defined as an asset. This will verify that the information can be found and help them assess whether it is protected properly.

Once the assets are identified, the company should establish a baseline for associated activity surrounding that information. The baseline can then be used to identify abnormal activity. Such behaviors are a strong leading indicator of unauthorized access or compromise, so systematically monitoring company information assets is a critical component to reducing the overall level of cyberrisk.

4. Check the ecosystem’s credentials. Once the company’s house is in order, extend the same line of questioning to the ecosystem of partners and suppliers. The overall level of cyberrisk can be as materially impacted by the ecosystem as it can be by the company’s own posture. It is important for these parties to understand the company’s expectations of their organizational performance and the standards that the performance will be measured against. To that end, require the procurement team to consider modifying supplier contracts to include cyberrisk requirements.

The ongoing checkpoints inside the company should be extended to the ecosystem as well. Surveying new and potential ecosystem participants for security policies and practices should be part of the initial evaluation. Then, partner performance should be evaluated when contract renewal discussions begin. There are helpful templates from the National Institute of Standards and Technology and Information Security Forum to aid in jump-starting a company’s efforts.

5. Get it in writing. Once the ecosystem’s credentials have been checked and evaluated, legal needs to consider the findings when developing their agreements. The terms of these agreements, assets able to be accessed, and actual performance should all be considered when providing login credentials and data management expectations and authorizations.

The company should include corporate data security and incident response policies in agreements and stipulate compliance with them. These agreements must be aligned with data management expectations and authorizations. The agreements need to clearly specify which party owns the data and detail each party’s responsibilities in the event of a security incident. The company should then consider cyber insurance investments based on the overall exposure identified throughout these steps.
Patrick Dennis is the president and CEO of Guidance Software.