What Matters?

Cyber Risk Appetite: Are you Hungry? — Part One

When I speak with cybersecurity leaders in the Financial Sector, Federal Sector, and other various Fortune 500 companies, I hear one consistent concern–being asked to do too much with too little. It is as if they are paying for large lunch on a limited budget, and someone at the table keeps ordering extra appetizers.

Ironically, this isn’t an issue of funding cybersecurity budgets, as the market has shown:

  • Momentum Partners estimated that spending on cybersecurity totaled $77 Billion in 2015 and is projected to reach $170 Billion in 2020.
  • Homeland Security Research Corporation (HSRC) sized the cumulative U.S. financial institution cybersecurity market to exceed $68 Billion from 2016–2020, the largest non-government cybersecurity market.
  • The U.S. federal budget in 2017 has a 35% increase to $19 Billion for federal cybersecurity, with a specific call out to “improve the Government’s cyber risk management capability”.

This is an issue of capacity to accept and manage risk within a defined appetite.

The emerging job of the CISO is to help their business get in touch with an appetite for cyber risk by understanding the impact of taking on more risk than their organization can digest.

Over the course of a three-part series, we will look at a Cyber Risk Appetite discovery, its components, and requirements for ensuring success in the engagement.

We are seeing a maturation toward Digital Risk Management in both government and the financial sector. Many forward-leaning industries will be sure to follow. Recent guidance from the Office of Management and Budget calls out for an increased focus on Digital Risk Management, and expected guidance hints at the use of defining a “risk appetite” in federal agencies as part of their budget justification. The Federal Financial Institutions Examination Council’s Cyber Assessment Tool explicitly calls out the need for a board-approved “Cyber Risk Appetite” — a requirement unlikely to go away in the forthcoming update.

So what is — and how does an organization develop — a Cyber Risk Appetite?

Defining What Matters

Leadership has to understand when risks they are taking exceed their appetite. If they don’t do it up front, they will learn the hard way.

In the aftermath of the Sony attack attributed to North Korea, Sony CEO Michael Lynton said,“…the folks who did this didn’t just steal practically everything from the house; they burned the house down. They took our data. Then they wiped stuff off our computers. And then they destroyed our servers and our computers.” The impact of the Sony attack went well beyond what one — up until that point — might have expected. The objective was not mere theft or monetary gain; it was to deliver a devastatingly hit to morale and reputation.

This isn’t a new problem. To put this in perspective, we can look at the War of 1812. Secretary of War John Armstrong refused to take seriously the warnings about a British threat to the nation’s new capital city, Washington. At the time, the District was a small, backwater town, built on a swamp, with no perceivable tactical military advantage. His reply when pressed by General Van Ness was, ‘Oh yes by God, the British will strike somewhere: but not here! What the devil will they do here?… no, no! Baltimore is the place, sir; that is of so much more consequence.’”

The Capture and Burning of Washington (Public Domain, https://commons.wikimedia.org/w/index.php?curid=1722674)

Of course we now know that on August 24, 1814, the District was unprepared, the White House burned, and Armstrong was replaced as Secretary of War by James Monroe.

So why does this continue to happen? Do we underestimate our adversaries? It was well known that the British were the strongest military in the world in 1814. Armstrong assumed the British would go for the clear military advantage in Baltimore. He was too narrowly focused and not creative enough in understanding the motivations of an intelligent adversary.

Armstrong also failed to understand the moral and emotional importance of the seat of government of our new republic, one of our critical assets. This was something the British understood well and hoped to exploit to break our spirit in an ideological attack.

Sony made the same mistake — by not understanding their adversary and being unprepared for not just the sophistication but the motivation of an attacker who wants to hurt you where it hurts you the most, not for financial gain, but to cause damage.

Determining what matters, both to your organization and to your attackers, is the first key step in identifying a Cyber Risk Appetite. Without this insight, you are delivering cybersecurity services blindly to a disconnected organization.

The best place to begin with is your organization’s core principles, values and mission statement. Sometimes these are mere platitudes included when developing organizational plans, but mature organizations take these to heart.

This is the role of a board; to provide challenge and oversight. Cyber Risk Appetite is becoming another tool in the board’s armory to maintain effective governance and oversight of their organization — to define and clearly communicate “what matters.”

Consider, for example, how a commitment to “trustworthiness” would be affected by a customer information breach. Which is really at stake; customer records themselves or the trust and reputation of your market? The two go hand-in-hand and must be articulated together in the development of a Cyber Risk Appetite.

With a clear consensus from the leadership of an organization, management can shift from security status quo to smartly portioning cyber risk management to business leadership and motivation of employees and partners to strengthen their security profile, aligned with the newly defined appetite.

In Part two, we will look at the benefits and requirements of fully engaging the business and how a Cyber Risk Appetite dramatically shifts the role of the CISO of the future.