Digital Risk Management and the “Big Rocks”

Cyber Risk Appetite: Are you Hungry? — Part Two

In part one of this series, we looked at they key benefit of executive engagement with digital cyber risk management: executive commitment to securing what matters. If you haven’t joined the conversation yet, please start with part one.

Securing what matters requires a paradigm shift. Managing cyber risk is no longer the sole burden of the CISO. The cybersecurity community has made great strides in communicating the importance of cybersecurity as a function, resulting in broader participation of business units and leadership, heightened expectations of oversight and governance, and increasingly larger budgets for dedicated to cybersecurity products and services. For example, within the financial sector, cybersecurity budgets increased by 14 percent in 2016 over 2015 and some larger banks are on the record as writing a “blank check” to their cybersecurity spend. The U.S. Federal budget in 2017 has a 35 percent increase to $19 Billion for federal cybersecurity. However, we are still challenged to integrate security insight into business actions, because the rest of our colleagues don’t understand the full picture of risk exposure. We must help them to see their digital cyber risk as they affect the rest of the organization, and even as an existential threat to organizational survival.

Stephen Covey popularized the concept of the “big rocks”; to stay focused on what matters, first start with the big rocks, then put in the pebbles, then the sand. If you start with the sand, you never get to the big rocks.

A lone CISO pushing his big rock uphill (credit: Andrey Pavlov)

The CISO is pushing their big rock of cybersecurity uphill, trying to improve cybersecurity while also supporting the objectives of their business units. The challenge is that CISOs have multiple stakeholders beyond just business units, from regulators to customers to the board.

It is a monumental task to balance the equities of all these shareholders, while simultaneously pushing uphill the big rocks of deploying two-factor authentication, protecting against phishing attacks, or just improving basic cyber hygiene.

If improving cybersecurity is pushing a big rock up the hill, think of cyber risk as many rocks rolling downhill to crush you. You can’t simply stop pushing one big rock to divert your attention toward the avalanche. Your job as the CISO is to get your organization out of the way of the avalanche, and enlist the whole of your organization to avoid — or at least minimize — the impact.

Think about all the equities a CISO has to balance from all their stakeholders — what matters to a regulator, customer, third party, or business unit? Each has different requirements, different expectations, and a different expectation for success.

To really see what matters in an organization, look at their budget allocation. This is where leadership really makes decisions about what matters — and that is the conversation where cybersecurity needs a seat at the table. This is where you can spread the responsibility of digital cyber risk management around. PwC’s 2016 Global State of Information Security report found that an increase in board participation in cybersecurity budget discussions resulted in a 24 percent rise in security spending. If you don’t get cybersecurity risk management incorporated as part of your budget process, through your Digital Risk Management program, you will be trying to push this cyber rock up the hill alone, and you will lose.

If you are not able to make the argument for cyber risk appetite to your CFO, unfortunately the court of public exposure will make the point for you — through a breach that is significantly impactful to your organizations mission and reputation.

In this case, it will only be after a public reputational impact that leadership attention will then bring cybersecurity to the table. Likely with different leadership.

The financial sector and Federal Government are out in front with upcoming regulations and guidelines requiring executive budgetary buy-in for digital cyber risk. Information security is expected to be addressed as a component of an organization’s overall Digital Risk Management program.

Many ants make light work (credit Andrey Pavlov)

Though this may be within the CIO or the CFO or the Chief Risk Officer, the important message is that right now is the right time for CISOs to get their cyber risk management program aligned and on the radar for Digital Risk Management. This is the beginning of enlisting the rest of the business with the task of pushing the cyber rock uphill.

The core value of defining a risk appetite for cybersecurity is to get buy-in at the executive level. Increasingly, the executives are required by regulation to sign off on a risk appetite statement — what matters — transferring responsibility for business-generated risks to the business units.

At the same time, business units cannot be left to secure themselves without assistance or guidance. The CISO will always be the advisor and leader for cybersecurity. They will provide business with tools and insight to determine their cyber risk exposure, and how much cyber risk is acceptable.

Breaking up responsibility for Cyber Risk Management (credit: Andrey Pavlov)

This is what the future of Digital Risk Management looks like: the cybersecurity challenge is broken up into manageable elements, with responsibility distributed throughout the organization. Each business unit identifies and instinctively understands the cyber risk they are taking on. Taking on too much risk makes them “nervous” from a business perspective, not a cyber one.

The role of the future CISO is as a coach and mentor to help business units maintain an acceptable level of cyber risk as part of the Digital Risk Management function. The CISO and business units work together to propose a risk appetite and establish a threshold for risk tolerance. Cyber Risk Appetite is approved by executive leadership, and reported against established risk tolerance thresholds.

This doesn’t mean life is any easier for a CISO, as they will always carry the greatest cybersecurity load. However, a breach no longer results in their immediate dismissal — provided the organization was operating within established thresholds. Cybersecurity is shifting from a “first line of defense” blocking and tackling to incorporate the “second line” management function for strategic cyber defense.

In addition, if an avalanche start tumbling down from above — when a Line of Business takes on more risks that exceed an organization’s risk threshold — the role of the CISO is to align a business unit’s motivation by putting the Line of Business that created the risk in front of the avalanche and own the risk.

In Part three, we will look at steps to a Digital Cyber Risk Appetite engagement and how it differs from similar exercises you may have performed in the past.