Building your Cyber Risk Appetite
Cyber Risk Appetite: Are you Hungry? — Part Three
In parts one and two of this series, we looked at the importance of executive buy-in for identifying what matters, and how Cyber Risk Appetite is significantly shifting responsibility for cybersecurity.
So, are you ready to build yours?
Here’s how we do it with our clients. This is a methodology we have developed through our experience with multiple financial institutions and federal agencies.
To start, you must first know how much and which types of risk you are willing to tolerate. In the broadest sense, your cyber risk appetite is your answer to the question, “How much cyber risk feels acceptable to me?” This is a tough question every business leader now faces.
The reflexive answer to this question is always “none”, but that is too simplistic.
The thoughtful answer is always “it depends”, because your tolerance for risk varies depending on how different cyber risks manifest, what they affect, and the resources involved.
The final answer is that risk appetite is nuanced and specific to your organization. Your statement of cyber risk appetite should capture the business risks that are unique to your culture, values, technology, operations, and adversaries.
Next, you must develop your appetite statement for cyber risk. We suggest five questions to holistically capture your landscape to build a cyber risk appetite.
1. What Matters? Engage with your executives and business unit leaders to evaluate corporate values, objectives, and other business drivers as related to cybersecurity.
2. How do I protect what matters? Collect insights to understand current operations, networks and systems.
3. What is at Risk: Conduct interviews and review historical issues to gain wisdom on risks and perspective as to why certain risks are considered.
4. How do I know? Connect your operational systems to ground risk management in a timely, data-driven reality. Normalizing your data against emotional responses is necessary to objectively evaluate cyber risk.
5. How Much is Enough? Working together, discover your appetite for cyber risk, and derive your risk tolerance and thresholds through a data-driven analysis.
This top-down approach to developing a Cyber Risk Appetite can then be paired with a bottom-up instrumentation program and product to provide continuity of reporting and communication — in a vernacular that is relevant to business leadership. Holistic reporting, grounded in what matters to the business and stripped of technical jargon, will be more accessible to executive leadership and more valuable than another compliance dashboard.
Developing a cyber risk appetite statement requires both qualitative and quantitative components. The qualitative component is your gut check; this is the organization’s position on cyber risks. It should be concise and specific, reflecting your risk position and justification of value as to why this matters. Here is where you tightly integrate corporate values and objectives. The qualitative portion should also take into consideration your capacity for risk.
The quantitative side is where you use your existing tools and infrastructure to create a set of forward-looking cyber risk metrics. These metrics help to articulate your risk tolerance. Metrics should reflect your attitudes toward growth, risk, innovation, culture, and ultimately the actions you will take to reduce risk if you exceed your tolerance threshold.
Once you have drafted the qualitative and quantitative components of a cyber risk appetite, you can develop specific key risk indicators (KRIs). These are forward-looking composite metrics that signal when core components of your appetite are in jeopardy — when your gut-check should have a stomach ache.
Creating your cyber risk appetite statement is not just an exercise, but a holistic program that encompasses multiple stakeholders beyond cybersecurity. Ideally this should not be led by the CISO, but by the Chief Risk Officer or an executive risk team with input from the CIO, CFO, and CISO. This team starts at the top and builds indicators looking downward, performing a gap analysis along the way. Frequently an organization finds they have all the data they need, but need to reframe or reconsider how to measure it.
Finally, once you have defined your cyber risk appetite and KRIs, you communicate it throughout the organization. You have a clear picture of what matters, objective indicators of risk, and timely data, and are prepared you to make informed risk-based decisions. Often more importantly, you should be able to answer the dreaded questions from regulators and the board: what is our risk appetite and how are we doing?
The core challenge of defining a risk appetite for cybersecurity is to get buy-in at the executive level. Increasingly, executives are required by regulation to sign off on a risk appetite statement — what matters — transferring responsibility for business-generated risks to the business units.
By following the collaborative process defined above, your organization can ensure that buy-in is baked-in, because stakeholders have:
- Helped you articulate the business value of information;
- Adopted this as a tool for establishing priorities on protecting information;
- Set performance expectations within the lines of business; and
- Communicated their expectations of the framework through their engagement.
This can only happen when you start with a cyber risk appetite that is developed by, approved by, and regularly reported to executive leadership.
About Emergent Network Defense:
END provides a cyber risk management solution for institutions to “secure what matters” by identifying, measuring, and distributing cyber risk ownership throughout their enterprise. We use a biological ant-based swarming approach to identify the paths attackers are most likely to use to exploit your greatest risks and cause the most damage, so you can block those paths and reduce your risk before an incident happens.
Our solution enables business owners to understand the amount of cyber risk they are exposed to and responsible for in a dollar-based impact amount, and enables the CISO or CRO to take action to automatically reduce cyber risk exposure.
To see the swarm, visit www.endsecurity.com.