In the National Association of Corporate Directors recent members survey, 22 percent of those responding were “dissatisfied” or “very dissatisfied” with the quality of cybersecurity reporting they received. Of the very dissatisfied, 44% complained that management "doesn’t provide enough transparency into problems."
The source of the dissatisfaction isn’t hard to find. “I have seen pages and pages of information security reports and I walk away from that not really knowing what I just saw,” as one board director said in a panel discussion at the recent Cyber Balance Sheet conference.
Directors expect to get their questions to CISOs and other cyber risk managers answered in the same dollar terms they hear about financial risk or market risk. Instead, they get “maturity scores” and heat maps that do not provide any financial measure of risk.
At the same time, corporate directors are increasingly liable for cyber risk in the eyes of stockholders and regulators. The recent guidance on cybersecurity risk disclosure from the Securities and Exchange directed public companies to “allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area”.
You don’t have to be a director of a public company to see that cyber risk equals material risk for any company – look at the massively disruptive effects of the NotPetya virus in 2017 on Merck, FedEx and other major organizations.
Directors can get their questions about cyber risk answered—and in the financial terms they want to hear, and in a timely way—if management establishes a quantitative cyber risk analysis and management program.
A RiskLens cyber risk quantification program can be stood up in 30 days; the time goes mostly into training IT risk, audit and subject matter experts in a new, more disciplined way of articulating and measuring risk: the FAIR model (for Factor Analysis of Information Risk), the international standard for cyber risk quantification. The RiskLens application that automates quantitative risk analysis is purpose-built on FAIR. The RiskLens team configures the app with loss data of your organization and your industry so analyses will generate probable loss estimates specific to your risk scenarios.
With FAIR socialized with your team, and the application in place, your risk analysts are ready to answer board-level questions in quantified terms, in as little as a few days, depending on the scope and complexity required – but certainly in time for a quarterly board meeting.
Some of the questions that boards can ask a FAIR-powered risk team:
1. What Are Our Top 5 Technology Risks?
Many organizations have gone through the process of identifying top risks, but in a seat-of-the-pants way: Our senior management got together and wrote a series of concerns on a whiteboard, we surveyed stakeholders for their opinions, etc. And that may be OK as a starting point, if the choices focus on key company assets or business processes that could materially impact revenue generation, operational capabilities, or solvency. In a quick triage, FAIR analysis can determine first which are truly risks in the sense that they have an identifiable loss-causing event: “the cloud” for instance, isn’t a risk unless it can be tied to a threat acting on an asset with some sort of resulting impact. With a more likely hit list, analysts can run a full analysis to produce for each loss event a probable range of loss in dollars.
2. What Is the ROI on Our Cybersecurity Initiatives? A standard justification for security projects has been to improve defensive posture by checking off lists of best practices (such as the NIST Cybersecurity Framework). Boards of directors can demand a higher standard: showing the return on investment (as a reduction in risk) on proposed spending. With sensitivity analysis applied, RiskLens can game out the effect of increasing various controls on the probable losses. And with before-and-after analysis for existing projects, management can be held to account for ROI (or lack of) for their spending.
3. What Is Our Risk Appetite?
Boards need a strong sense of their appetite for risk as a yardstick for judging management’s cybersecurity plans and programs. RiskLens consultants have helped many boards and senior management through the process of quantifying what may start as a qualitative judgement, for instance that a breach of one million records would cross a bright red line and translating that into dollar figures – or the reverse, starting with a dollar figure that would represent an unacceptable material loss and comparing that to the dollar figures of probable losses generated by FAIR analyses.
4. Can We Meet Regulatory Requirements on Cyber Risk?
The SEC expects public companies to proactively disclose cyber risks that could have a material impact in cost (financial) terms. The New York Department of Financial Services (DFS) has ordered its regulated financial companies to make detailed annual risk assessments (with the board and senior management signing off). The European Union’s General Data Protection Regulation (GDPR) requires data protection impact assessments to reduce the risk of privacy exposure. These standards (and many more regulations) are pushing companies toward transparent, defensible risk assessments that will stand up to government scrutiny – in other words, based on a recognized standard that yields results in financial terms.
Read more: Quantify Risk Assessment for PCI-DSS, HITRUST, GDPR and More Standards with FAIR
5. Is Cyber Risk Management in Line with the Rest of Our Enterprise Risk Management?
“The two major gaps in cybersecurity programs today are one, the lack of risk quantification and two, the lack of integration into an overall ERM program,” says James Lam, RiskLens board member and well-known authority on corporate governance. “Managing risks by silos doesn’t work.” Boards should demand that cyber risk be considered on a par with other risks the organization manages – and FAIR makes that possible by expressing cyber risk in the same financial terms that the rest of enterprise risk management programs operate on. Technically speaking, FAIR is a cyber value-at-risk (VaR) model. It is also compatible with the widely used COSO ERM Integrated Framework for enterprise risk management.
For Directors Who Want to Learn More about Cyber Risk Quantification…
CyberVista, the leading cybersecurity education and workforce development company known for its board director education work has aligned the curriculum of its popular Resolve cybersecurity training with FAIR and will partner with the FAIR Institute going forward on educational programs. And for more suggested questions that board members should ask of IT security management, read this article from NACD Board Talk: Getting the Right Cybersecurity Metrics and Reports for Your Board, by James Lam and FAIR Institute Chairman Jack Jones.