When a senior executive tells the board he or she wants to discuss the company's risk appetite, usually the board's interest is piqued. After all, understanding an organization's risk appetite is critical to the decisions the board makes.
So why should defining a company's cyber risk appetite be so difficult?
A CISO's role is to understand what the company's cyber risks and capabilities actually are, and then help the board have a more productive discussion about IT and security risk. So why do many organizations today struggle with this subject?
To answer that question fully, first we need to clarify what "risk" and "security" mean-in a basic, strategic sense. Risk is the effect of uncertainty on objectives - it centers around the possible exposure to harm. To analyze risk, is to analyze the intersection of the probability of an event and the potential impact a person or organization could suffer from that event.
In contrast, security is our immunity from harm. It is the protection put in place to prevent an unwanted event. It can factor into the Probability (lowering the odds of the event occurring) or the Impact (minimizing the harm from its occurrence) or both. There is a choice involved in security. You can sprint out into traffic if you so desire - or you can look both ways and judge the most prudent path to cross the street.That last part-the choice - is the crucial point for the board. Above all else, CEOs and boards always want to keep their options open, so they can continue to make decisions and proceed with whatever plans they adopt - but WITH a sense of security.
The CISO's job is to talk about cybersecurity threats and counter-measures in those terms: how much harm various threats can cause the business; how much immunity from harm your security measures can deliver; and how those choices affect the business's options to act. That connects cybersecurity to the business, and shows how cybersecurity can help the business as it moves forward according to the board's strategy.
That's the concept. Now let's put some specifics around how to tie together all three components-risk, security capabilities, and business needs-into one coherent understanding of cyber risk appetite.
Crossing the Threshold
We've noticed in the past that companies seem to develop a stronger cybersecurity function after they reach $1 billion in annual revenue. The easy analysis would be to say that once companies hit that large size, they have the resources to hire more staff and to invest in more sophisticated systems-which is true, but that's not the whole story.
The $1 billion threshold is really an opportunity to talk about how companies consider and handle risk. For example, smaller companies can be more comfortable with risk - or they are generally more agile when responding to business pressures and therefore deal with balancing risk and security. They may have fewer stakeholders to keep in mind if something goes wrong; they often have fewer regulatory requirements where non-compliance could lead to unwanted headlines or painful fines.
In other words, smaller enterprises can exploit their size and agility to evade risk. They still need to invest in strong security procedures, but their smaller size is an additional capability that helps their security posture. We certainly know, though, that smaller companies are not immune to risks. Their agility at responding to risk gives their leadership options, but the price they could pay if something goes wrong could be more significant. There is not much cushion to absorb a major event within a small company.
Large companies don't have agility to evade risk, but they do have more resources to reduce risk-and for large organizations, security risks are pervasive, scary, and expensive. So, if we have the ability to reduce risk, a board might reason, why wouldn't we aim to reduce it to zero?
This is where the CISO needs to step into the conversation. He or she needs to help the board understand how the company can manage security risk-even at a large organization with many risks and many obligations. And managing your security risks hinges on your company's cybersecurity capabilities.
For example, the board might be eager to expand into a new line of business where business operations will end up collecting significant amounts of consumer data. How much exposure to harm will the board accept to achieve the expected new profits? How much immunity from harm will the board want, and how much are they willing to spend to achieve it, if it is even achievable with available security? If the board truly wanted no risk, it would either give the CISO an infinite budget (spoiler alert: not going to happen - and even if it happened, an infinite budget won't completely eliminate all security risk) or not expand the business at all. Somewhere between those two extremes is the organization's cyber risk appetite for this new venture.
Exactly what size the appetite is depends on the capabilities of the security system, and on the business's ability to behave in a secure fashion. The CISO's job is to identify those points, working with other senior business executives as necessary. Then you can present the board with options, which is what it wants-and then, together, you can make a plan.
Learn more about the cyber risk appetite in our eBook.