Bank of England’s CISO, Will Brandon, delivered a speech at City Week 2016 on May 10th, 2016, in London to highlight the need for business leaders to take ownership of cyber risk as opposed to delegating it to technologists within their firms.
Cyber risk needs to be prioritized among all other risks.
“There is a tendency for boards to look at it, fear that it’s too technical to understand, and then delegate the whole issue to technologists – who duly deliver some technological fixes. The trouble with that is that most cyber-attacks are not exclusively – or even mainly – technical in nature.”, said Will Brandon.
In the Allianz Risk Barometer report for 2016, cyber incidents made the top five of ten concerns for global industries. Industry professionals are cognizant of cyber risk as a major concern facing their organization but, fear of the “unknown” does not justify ignoring the problem. Therefore, cyber risk needs to be managed in coordination with the other risks that are facing the business. A potential breach impacts business processes and therefore should not only be managed from a technical perspective but also needs to be managed by the business. Organizations need to know the impact of what they fear in the case of a cyber attack. In fact, the above report cited the estimated costs associated with cyber incidents/crimes to the global economy at $445 billion per year. However, treating cyber risk as a business risk can help you to minimize the level of financial loss associated with a cyber breach. Ultimately, not treating cyber risk as a business risk has financial ramifications. The consequences for an organization range from primary losses such as loss of productivity and revenue which could result in secondary losses such as reputation loss, legal fees stemming from penalties delivered by regulators and more.
Cyber risk is being delegated to IT, and that’s a mistake because cyber risk is business risk
Brandon continued: “You should also be clear that the owners of those information assets are the owners of the business processes they support: they own the risk. Not the CIO, not the CISO: it is the owner of the business process who should be accountable.”
It is self-evident that the skill set used to defend an IT infrastructure is different from managing and reporting the overall financial health of an organization to shareholders. This lends to business leaders delegating risk to the IT department. Just because technologists can find ways to stop individual incidents does not mean the organization will be safe. Risk management decisions are not just about IT stop-gaps, but also involve setting the policies, the priorities and the risk objectives of an organization from the business perspective. In order to accomplish that, business process owners should own cyber risk and be held accountable for the management of it.
Risk Quantification is key for business executives to understand and manage cyber risk
Brandon concluded with: “So, to sum up, cyber risk is one of many risks. It is certainly serious, but it can be understood, and it can be quantified. So it needs to be managed like anything else that could damage a firm’s business – by understanding it, and then by balancing investment in mitigation against similar investments that are needed across the business.”
Standard cyber risk quantification models like FAIR have emerged and can help business owners take ownership of cyber risk. As the only standard Value-at-Risk model for information security and operational risk, the FAIR model provides defensible results in answering what the financial risk looks like for critical assets and applications within an organization. In fact, RiskLens is the only cyber risk management software purpose-built on FAIR. Cyber risk quantification could be the solution for you and your organization to quantify your risk. If so, schedule a demo with a member of our team. We look forward to hearing from you!