When boards express anxiety about cybersecurity risk, one of the foremost fears they face is reputation risk.
Why is that?
Because cybersecurity failures do cause reputation damage, and reputation risk is scary. A security failure can immediately bring unwelcome headlines, hits to the share price and probing questions from business partners
Security failures can also be difficult to diagnose quickly-and if your first assessment of the problem underestimates the severity, the business then may face a repeat disaster. No wonder boards dread reputation risk.
That doesn't need to be the case. Reputation risk really is a fear that how others perceive you will turn sour. Boards worry that the public will look at their organizations after a security failure and say, "Ugh, that shop just doesn't have its act together."
With proper collaboration among the board, the CISO, and other senior leaders, the company can have its act together-and more importantly, keep it together. Once that's established, public perception of the organization will change much less, and your reputation risk falls.
Admit the Obvious; Then Plan for It
Boards have a duty to be honest with the investing public, so let's start with some honesty here. All companies experience cybersecurity lapses, and these lapses generally don't cause long term debilitating reputational damage. The closest financial measurement we have of damage to reputation is share price. For most large companies that experience a security failure, the share price does fall-but then it rebounds, as normal business and growth resume. For privately held companies, we don't even have this metric; we must go off hits to the bottom line, or other measurements to gauge the impact. Nevertheless, companies do typically bounce back.
That is the crucial point here: normal business and growth must resume. If the company can do that quickly, its reputation will revive. So the job of the CISO is to work with other senior executives and ensure the company's ability to return to normal is always intact.
Perceive reputation risk this way, and suddenly new priorities arise. For example, the real threats from a cybersecurity failure are business interruption, failure to gauge the problem correctly, and failure to explain the problem to other stakeholders (whether they are regulators, consumers, business partners, or all three). Many times, a considerable portion of costs related to a cybersecurity event are in the "tail" - the longer term investments made to clean up the mess left from the incident, not necessarily the immediate costs associated with the event.
The CISO's job within the company is to work with the right colleagues to address risks. One easy example is to create an effective breach disclosure plan; this requires close collaboration with the chief compliance officer, and possibly the director of investor or media relations. Or if you are trying to tackle business interruption risk, you may need to work with an enterprise risk management team or a chief risk officer who oversees the company's insurance coverage.
The point is, in the modern world, an organization's value is deeply connected to its ability to create and preserve value. Since digital assets (customer data, historical records, intellectual property, and so forth) now account for such a large part of organizations' value, the ability to protect those assets is also crucial to creating and preserving value.
That's the chain of logic here. Digital assets are crucial to value; creating value is crucial to preserving an organization's reputation. So, the better your organization is at preserving value-even when we define "preserving value" as "getting back on your feet as quickly as possible after a security failure"-the more it can reduce reputation risk.
Board directors grasp that sequence intuitively. The CISO's job is to walk them through that sequence specifically, at the company they oversee. So if you can tame the underlying security risks that can lead to a poor reputation, reputation risk will recede, too.