When it comes to cybersecurity strategy, perhaps the single most important goal for boards and CEOs is defining the enterprise’s cybersecurity risk tolerance. Everything in cybersecurity is a tradeoff, a juggling act between cost, effort, likely results, and risk acceptance. What the chief information security officer (CISO)—or the chief security officer (CSO) or chief risk officer (CRO)—need to know is, “Where does the board want to draw those lines?”
The best example of this scenario in action happened about a year ago, in March 2020, when the COVID-19 pandemic forced widescale changes for almost all businesses. Enterprises quickly agreed to a vast reshuffling of the workforce, moving from a typical 10 percent remote and 90 percent in-person workforce to a complete flip, where many enterprises had 10 percent or fewer of their workforce in corporate offices. But accepting such a massive increase in the number of remote workers—and doing so in a few days—posed a gigantic increase in risk.
Boards overwhelmingly accepted those risks and approved the changes, mostly because they felt they had no choice (and, truth be told, they were right in having that feeling). That said, did those board members and their CEOs accept those risks willingly and with a true understanding of what they were about to accept? Was it explained effectively? Did board members ask the right questions and insist on relatively concrete answers? Were board members given sufficient information that allowed them to know the right questions to ask? Was there discussion of whether every home office had a LAN (local-area network) dedicated solely to corporate work or whether virtual private networks (VPNs) could handle the huge increase in load? And what would workers likely do if the VPN connections failed? Would they cut security corners?
Many stories have been written offering guidance to CISOs about how they should talk to their boards. But perhaps that question needs to be flipped: What are the best ways for board members—whose expertise runs the gamut but doesn’t typically include extensive cybersecurity training—to get the information that they need from CISOs, chief information officers (CIOs), and other security experts within their enterprises?
One way is to literally ask what the risks are. “What could go wrong? In your opinion, how likely is it to go wrong? How many of our competitors in our vertical are doing this? You have a lot of people on your team who have strong opinions. What would be their best argument about why we should consider not doing this?”
This isn’t a suggestion to be timid on cybersecurity. Far from it. But board members need to insist on understanding the risks. Only then can they properly discuss those risks with other board members and achieve a consensus on setting the enterprise’s risk tolerance.
A 2020 McKinsey survey of mostly North American financial institutions with the Bank Policy Institute found that the overwhelming majority (95 percent) of board committees discuss cyberrisks and tech risks only four to five times a year. Would boards ever discuss revenue trends only five or six times a year? Or acquisition strategy?
Cybersecurity today is an essential part of enterprise life, impacting data protection, compliance, potential litigation, and the customer perception of the enterprise’s protections. It can influence acquisitions and sales (especially the due diligence for acquisitions), geographical expansion or shrinkage, new product lines, and the cost of supporting employees and contractors. It can (or should) influence the selection of all manner of partners (cloud, supply chain, outsourced call centers, et cetera) well beyond traditional IT and security considerations.
Risks continue to evolve
There are two kinds of risks that board members need to think about: the risk in any intentional and deliberate change to the enterprise’s environment (new tools, new techniques, changes in cloud operations, et cetera), and the threat of risk change from any operational change (such as acquiring a company that has military subcontractor revenue, which might therefore invite nation-state attackers or a change in geography that might expose the company to different attackers or even different compliance requirements).
The external threats have changed significantly during the onset of COVID-19 and they are likely to change again in new ways as enterprises start to slowly bring workers back to corporate locations.
For example, many enterprises effectively lost on-premises operations as empty buildings forced them to be outsourced to the equivalent of private clouds. Organizations need to understand the implications of bringing employees back into offices and the enterprise risks and benefits associated with doing so. The shift back to in-person operations gives boards the chance to reconsider all manner of operations. It’s a golden opportunity.
The threat landscape changed following the COVID-19 pandemic, and the cybersecurity challenge is not exclusive to Iberia. It’s global in scope. Cybercrime statistics from the Federal Bureau of Investigation (FBI) showed US incidents have steadily increased from 2016 through 2020. For monetary losses, increases have been gradual but steady, rising from $1.5 billion in 2016 to $4.2 billion in 2020. But when the FBI looked at the number of complaints/incidents reported, 2020 showed a very sharp increase, rising from 298,726 in 2016 to 791,790 in 2020. This is consistent with many reports that cyberattacker tactics were relatively unchanged but that the volume of attacks soared as the use of less-protected home offices increased.1
Cybercriminals are opportunistic
The FBI report indicates that most cybercrime types (nonpayment/nondelivery, extortion, personal data breach, and identity theft) were relatively flat, but phishing attacks soared, rising from 26,379 incidents in 2018 to 114,702 in 2019 and then to 241,342 in 2020. It’s unclear how many phishing attacks would have happened in 2020 had COVID-19 not been a factor, given that the sharp rise began in 2019.
A report published by the CCN-CERT shows that 23 percent of large companies in Spain have suffered a security incident in the past year. In the case of small and medium-size enterprises (SMEs), the percentage drops to 12 percent and, for citizens, it rises to 28 percent, below the European average of 34 percent.
Increased data sharing and information exchange over decentralized and unsecured end-user networks open multiple vectors for cyberattacks, leaving users and their organizations more vulnerable.2
In addition, there is an increasing concern regarding data regulatory compliance. This is reflected in a recent client survey that McKinsey conducted, in which 47 percent of participants claim that they weren’t sure they could guarantee a sufficient level of data protection in a post–Schrems II environment. The Schrems II ruling stemmed from a dispute between Ireland’s Data Protection Commissioner and Facebook Ireland, along with Maximilian Schrems. The decision undercut the European Commission’s adequacy decision for the EU-US Privacy Shield Framework. The privacy-policy implications extended well beyond Europe into the United States and other regions.
One of the key environmental changes has been the years-in-the-making reduction or elimination of the enterprise perimeter. Much of that stems from a flood of new endpoints, including lines of business spinning out their own shadow cloud deployments, remote sites with varied security, mobile communications entirely sidestepping IT/security (such as a field representative creating a proposal on a smartphone and emailing it directly to a client’s personal device), and Internet of Things devices of every kind.
Boards should adopt a proactive and systematic approach to foster cyber accountability and compliance within organizations
It is key for boards to get more involved in understanding the cyber value at risk with their companies not only because a rising number of breaches are making headlines but also because regulators are increasingly holding companies accountable for addressing their gaps in cybersecurity and privacy data.
To illustrate this, a new state regulation published by the Spanish government last February mandates the creation of the information security officer (ISO) role.3 The regulation compels operators of essential services to guarantee that the ISO has sufficient means and resources to be able to carry out their functions in a real and effective way. This decision—coupled with the European Union’s General Data Protection Regulation (GDPR) requirements for a data protection officer—is important for board discussions as it could indicate a governmental or regulatory trend of requiring companies to create new positions with special protections and authorities.
Implications for the cyber function in the new, multistakeholder security reality
Companies should consider a comprehensive security transformation, integrated with business objectives, by establishing and implementing an overarching cyberrisk management strategy that breaks down silos, enhances organization capabilities, and enables multistakeholder engagement.
To achieve this, companies should seek to prioritize security-program portfolios to optimize risk reduction, understand cyberrisk maturity relative to its risk appetite, create a platform for risk-based conversations within the organization, and adopt a risk-based approach to regulatory compliance in cybersecurity management. This must start, though, with directives and guidance from the board and the CEO. Otherwise, different C-levels could go in different directions or, potentially worse, the CISO could just guess what the board and the CEO truly want and how far to go.
Four key factors for rethinking the cybersecurity approach
There are four key factors that enterprises can use to successfully rethink the “way of working” their cybersecurity efforts, leveraging a risk-based approach:
1. Integrate cybersecurity into enterprise risk management (ERM) processes—identify threats to address and understand the organization’s risk profile using a risk appetite grid
All companies should ensure that cybersecurity risks receive appropriate attention as they carry out their ERM functions. Cybersecurity risk information provided as inputs to ERM programs should be documented and tracked in written cybersecurity risk registers that comply with the ERM program guidance. Much of this will also impact various other business units, including IT, legal, compliance, data privacy, customer service, manufacturing, and so forth. Done holistically, this will cross silos and geographies.
Overall, companies don’t have a clear understanding of their risk appetite, which forces them to make business decisions without considering their associated risks, although they know that a zero-risk decision does not exist.
To solve this issue, companies can start by identifying threats and potential threat actors via threat intelligence and threat modeling to gauge the likelihood of an incident based on identified vulnerabilities in key assets and related ease of exploit. Next, companies can map each risk scenario to the risk appetite grid, where scenarios off the grid area would require specific effort to buy down risk.
Defining risk appetite is an important first step because it will shape the organization’s cyber strategy, guide task prioritization, and determine the level of resources and investment allocated to ensure that the benefits outweigh the costs of implementing the cybersecurity strategy.
For example, a global oil and gas company headquartered in Spain ran a comprehensive diagnosis to understand its exposure to different threats and vulnerabilities. As a result, more than 100 initiatives were identified as ways to increase the resilience of the organization.
The responsibility for this factor falls to the CISO and CRO, and the board must be accountable for it.
2. Align current investments and initiatives across business units to define security strategy—identify risk scenarios that can be brought onto the grid
Today, most companies are making cyber investments that aren’t aligned with their overall business strategy and are focusing their cyber efforts in areas that may not be relevant from a business perspective.
To define a proper security strategy in line with the business, companies can start by assessing existing business-unit-led or enterprise-led cyber initiatives across units and consolidate sources of funding for security investment. In determining which initiative to adopt, it’s important to demonstrate how the initiatives can help buy down risk for each scenario that’s off the risk appetite grid. Next, companies can illustrate how previous mapped-risk scenarios can move from off grid to on or within grid over time based on the initiative timeline.
Over time, companies should rebalance cybersecurity investments by identifying non-risk-reduction-related initiatives and evaluate them against business objectives based on the value-in-risk principle to see if nonpriority items can be postponed or suspended. Budgets from these items can be redistributed to accelerate current or new risk-management-related activities.
Identifying and prioritizing key initiatives for investment is crucial because it allows companies to achieve maximum impact with optimal resources.
For example, a leading Spanish healthcare company conducted a digital resilience assessment that reviewed two business units, setting the strategic direction for a €30 million-plus in cybersecurity spend. During the assessment, more than ten critical assets and approximately 70 control gaps were identified to buy down the outstanding risk.
The responsibility of this factor falls to the CIO and business information security officers (BISOs).
3. Enable a successful ‘value-at-risk’ management approach—ensure the right processes, organization, and culture are in place
Nowadays, companies aren’t including security in their culture. The different departments within the organization view security as a controller that limits their activity rather than an ally that can help ensure associated risks are considered when making decisions.
Companies can ensure that cybersecurity is embedded into key business processes by making sure the organizational structure enables the new risk-management approach and by strengthening the culture that focuses on the business value of cybersecurity. If all stakeholders within the organization are aligned on this point, a strong business-value-based risk culture can be built.
At the same time, boards should ensure that they know about the cyberrisks and technology risks that their organizations face by receiving regular updates detailing potential impact, understanding how the leadership is addressing these risks, and participating in awareness and education sessions (for example, tabletop drills, cyberincident simulation).
Board engagement in cybersecurity is essential because not only does it have responsibility for steering the organization to the right strategic direction, it also has the duty and obligation to protect and create shareholder value. As McKinsey recently reported in a global survey among top financial firms, 91 percent of them acknowledge the importance of keeping the board aware of ongoing risks and building cybersecurity knowledge.
This awareness should spur a change in company mindset. It needs to change from being seen as security enforcement to one that embraces security adherence and assumes that business is the owner of cyberrisks and cybersecurity and must be responsible for managing them.
For example, a Portuguese financial institution conducted a “value at risk” assessment by leveraging a cyberrisk program, and key initiatives were identified and prioritized leading to a complete redesign of the cyber organization and operating model.
The responsibility of this factor falls to the CISO and CIO. The board must be accountable for enabling this approach.
4. Enable the right tools to assess cyberrisks and track the risk-reduction progress—let key risk indicators (KRIs) and key performance indicators (KPIs) do the job
At the moment, companies have limited capabilities to track and assess cyberrisk scenarios. The lack of these tools makes decision making more difficult and doesn’t ensure a holistic view of the overall cyberrisk environment.
To ensure the right monitoring and tracking, companies can track initiative progress and risk reduction achieved by developing KRIs and KPIs. A dashboard of relevant KRIs and KPIs can be introduced to regularly track and report on risk-reduction progress. Executive report templates can be used to give visibility to overall cyber investment and the business unit’s or enterprise’s risk posture. The scope of the metrics must ideally include not only IT but also operational technology. The board should make sure this change in perimeter happens.
Leveraging the KRIs and KPIs is essential because they serve many purposes. Data they provide serve as a foundation for decision making and continuous improvement and allow companies not only to track past events but to prevent undesired events in the future. This can only be done after enough data are accumulated for analytics and predictive modeling. In this sense, leveraging next-generation technology is essential to enable the change in how enterprises work and to make sure proper cyberrisk strategy is taking place.
For example, a leading Spanish energy company developed a dashboard under its cyberrisk-transformation program to improve transparency across different organization levels and successfully introduced more than ten KRIs/KPIs for tracking and reporting.
The responsibility here falls to the CISO and CRO.
As business evolves post-COVID-19, so too will the cyberrisks
As the world evolves to become more digital, Iberian companies and organizations, starting at the board level, must adopt the new approach in cybersecurity to address increasing threats and the accompanying regulatory scrutiny. The introduction of new regulations in data and privacy protection, such as GDPR, several US states passing privacy legislation, and the latest Schrems II ruling, mean that corporations need to transform the way they work to meet increasing accountability and compliance requirements.
The proposed four key success factors are concrete steps companies can take to adopt a risk-based approach in a resource-efficient manner, reshaping how cybersecurity works within the organization. As we have stated before, leadership involvement is critical in order to successfully implement these factors in an organization.
Although boards must ensure top management accountability and organizational compliance, it’s worth stressing that a company’s cyber strategy must be part of its business strategy. As most business processes today contain some digital element, a cross-functional cyber organization is imperative for effective security strategy deployment, embedding risk reduction into key business activities on a daily basis. At the same time, companies should foster the “value-at-risk” management approach, which not only helps the organization to achieve optimal resource allocation but enables it to establish a culture that emphasizes the business value of risk, raising awareness across the board.
Having the right cyber organization, approach, and resources in place will allow Iberian companies to maximize the value and minimize the risk brought by an increasingly digital future, and it’s time for the boards to get on board.