In my last post, I shared takeaways from a speech delivered by the Bank of England's CISO, on the need to quantify cyber risk. For this post, I came across an informative report published by the British government detailing how various boards of directors across industries understand the challenges and threats presented by cyber risk. Good to see Her Majesty's government focusing on cyber risk. Here are some numbers that stood out in the report and that boards and executives should note:
49% of businesses placed cyber risk as a top risk
In the last year, there has been a significant 29% increase in respondents naming cyber risk as a top risk. This increase in awareness corresponds with high-profile breaches like that of the United States Office of Personnel Management, Sony, J.P. Morgan Chase, Neiman Marcus and more. The effects of breaches, such as damage to reputation and revenue, are items that the board is directly responsible for addressing. Now, at least half of the respondents regard cyber risk as a top business risk, and no longer just as an IT risk. This should help companies proactively manage cyber risk from the business perspective versus just delegating to IT.
63% of respondents outlined their approach to risk management in their annual reports
Consumers and practitioners take note: the high number above looks great on paper and gives consumers confidence that something is being done. Now let me play devil's advocate. What methodologies are they employing to approach risk management? What we see and hear about is still mostly qualitative risk assessments. Risk ratings such as "High, Medium and Low" or "Red, Yellow and Green" do not properly convey the financial risk associated with an asset and these measurements are in many cases quite misleading. Imagine how much more defensible the risk statements would be if cyber risk were to be quantified according to standard risk models like FAIR.
33% of boards have set and understood their appetite for cyber risk
The figure above should be closer to 100% if board members were fulfilling their risk governance obligations. Customers tell us that the communication divide between the board and the business on one side and IT on the other side is very much real. Risk is expressed by cyber security teams in either overly technical terms or at best in terms of qualitative risk ratings that do not enable effective decision-making by the business regarding risk appetite. Quantifying cyber risk helps overcome this challenge by providing a common language - the financial one - that allows all stakeholders to agree on the current level of cyber risk and make decisions regarding risk appetite.
16% understand where key assets are shared with 3rd parties
Supply chains now extend beyond the confines of the enterprise into partner networks. Understanding these dependencies and their possible effect on a company's exposure to cyber risk is a must. It is surprising that many companies don't have better visibility after the high profile, 3rd-party driven breaches in 2014 such as Target. One factor might be that current tools are immature, difficult to use and missing the point. Fortunately, next-generation solutions such as Cyber Risk Third-Party, that help quickly and comprehensively assess third-party risk are emerging and should help dramatically improve this percentage.
60% of boards members have only an "acceptable" understanding of risk related to key information and data assets
Respondents' answers ranged on a scale from "poor" to "clear" understanding. In the face of heightened attacks, an "acceptable understanding" appears unacceptable. It is important for board members to "clearly understand" the risk faced by the business, particularly it's key information and data assets. If technologists used a model like FAIR to measure risk associated with that asset, they would be able to include business leaders and board members in a discussion about how to prioritize the risk and how much of the fiscal budget should be allocated into protecting critical infrastructure and digital assets.