We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

Risk in Context

Of C-Suite Importance: The CISO

07 September 2020

Businesses that recognize the growing need and power of digitization must understand the importance of a Chief Information Security Officer or Chief Security Officer (CISO or CSO). A CISO focuses on managing cybersecurity and limiting cyber risks and breaches. This involves using initiatives across people, process and technology to manage numerous constantly changing security technologies and ensuring they all work together to address cyber risk. As this involves the intersection of people and technical knowledge, a CISO must be an excellent communicator, manager and thought leader.

A Business (not IT) Problem that requires Quantitative Metrics

A cyber event can lead to business interruptions with dramatic consequences such as reputational damage and loss of revenue. As such, cyber risks should be considered business risks and reported to the board of directors. In the Asia Pacific, however, many CISOs are still considered the IT managers and IT problem solvers. 

Often, a CISO will inherit an existent risk register that incorrectly defines cyber risks as IT security risks, such as describing a Distributed Denial of Service Attack (DDOS) an IT risk. This can block further discussions on its implications with the business stakeholders.

Furthermore, security professionals have traditionally used qualitative frameworks to characterize cyber risks. These are built on instinct and are ineffective in objectively measuring risks in accurate financial figures.

Red, yellow, green, or high, medium, low as qualitative indicators



While this framework has its benefits, it does not allow security professionals and CISOs to answer the following questions:

  • What is the likelihood that the organization will experience a material cyber event in the next 12 months? 
  • Is the risk greater than 50%? 
  • What are the associated financial losses? 

It is crucial to put numbers ($$) to cyber risks. This ensures visibility on possible financial losses from cyber-attacks and/or data breaches and can help CISOs:

  • Calculate the company’s risk appetite
  • Validate the cybersecurity budget and ROI
  • Prioritize initiatives
  • Transfer residual risks to cyber insurance
  • Clearly communicate the above-mentioned points and a cyber strategy to key stakeholders

CISOs will thus benefit from using quantitative frameworks as tools to understand their organization’s exposures, prioritize cyber initiatives, request additional budget and prove cybersecurity’s ROI. This approach opens up tremendous opportunities for managing cyber risks and is crucial in an ever-changing technological landscape and complex regulatory requirements.

For the CISO to bring their full value, the risk-measuring process must be:

  • Business-oriented and NOT treated as an IT exercise
  • Connected to the broader enterprise risk management practices
  • Aligned with enterprise risk management and business goals
  • Managed by the CISO
  • Owned by the board

In the cybersecurity industry, FAIR (Factor Analysis of Information Risk) is the only widely known framework for cybersecurity and operational risk using quantification. It provides the best practices to help organizations measure, manage and report on information risk from the business perspective. It is a good starting point, but more must be considered.

Organizations or the boards, with the guidance of their CISO, must:

1. Understand cyber risk ownership and liability

Following a data breach or cyber-attack, liability mostly lies with the business owner, not the CISO. For example, under U.S. law (except HIPAA which places direct liability on a data holder), in a cloud environment, it is the data owner that faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder.

2. Define cyber risk as a business risk

Most organizations cannot adequately describe the cyber risk they face, let alone the amount of provisional business interruption that risk presents. Therefore, it is critical to present those risks in a business context and not as technical IT risks. 

3. Quantify cyber risk: Identify, Protect, Detect, Respond, Recover

Identify: The critical steps to starting your cyber-security journey include ensuring visibility to the most valuable assets and understanding the associated threats and cyber risks. While this can be difficult, a starting point is to consider scenario analysis that estimates with decent accuracy the financial cost and the severity of cyber events.

Considerably more challenging is determining the likelihood of an event such as a successful phishing attempt or ransomware attack. Hence, companies must adapt quantitative models to their risk profiles and relevant scenarios. While experts have options of models, from Monte Carlo to sequential tree models, no model is perfect, but if well-chosen and adapted, risk quantification can enable business leaders to better understand the risks of cyber and take actions to effectively manage them.

This identification phase answers the fundamental question: “What is the likelihood that our organization experiencing a cyber-event causing a loss of greater than, say, $250 million in the next 12 months?”

Protect: After risk identification, the second step is to understand the risks to mitigate, treat, stop or transfer with a cyber-insurance. Here, the mitigation controls need to include a defense-in-depth approach, an approach that provides multiple defensive measures when a security control fails or a vulnerability is exploited. This approach should be implemented across people, processes and technology, including instilling the right culture across the organization.

Detect: An organization must be able to detect any suspicious activity or event. This has been a challenge for many organizations as they open up more areas of vulnerability with new technology adoption.

Respond: The organization must respond effectively to a security or data breach incident. This process needs to be prepared proactively.

Recover: Ensure a proper recovery following an incident.

All the steps are part of a continuous journey, as cybersecurity should be part of an organization’s process and culture.

4. Establish clear understanding of residual cyber risks

100% security does not exist and is not a suitable goal for organizations. CISOs are not there to ensure full-proof security. Their role is to build a suitable cyber risk management process. There will always be residual risks that might be transferred, for example, through cyber insurance.

5. Evaluate third-party risks

Organizations must evaluate impacts across their organization and assess their third parties and vendors. They are sometimes the weakest link, particularly when adopting cloud technologies and assuming security by default.

Often, there is no clear mention of security and privacy requirements in the contractual clauses. In fact, cloud is based on a shared responsibility model and therefore the service provider will not take care of the security of the organization’s data, unless the organization purchased a service to do so explicitly, for example, with managed services.

6. Develop resiliency metrics

Risks can be reduced by having the right knowledge, communicating it to employees, and ensuring an effective behavioral change, such as educating employees on recognizing potential malicious links.

However, organizations often lack this knowledge. It is not effective to have in place an anti-virus or a firewall. Without the right awareness, culture and approach towards cybersecurity, organizations have a false sense of security, thinking that an expensive software or hardware will address all their cyber risks.

As mentioned, defense-in-depth controls need to be implemented across people, processes and technology for cyber risks to be considered effectively managed.

Conclusion

Leaders have to consider: “Am I able to understand the cyber-risk related to the adoption of a new technology or new technologies? Am I able to define my cyber-risks when working with third parties? Do I understand my liability when a data breach occurs? Do I understand that 100% security is not achievable?”

While this list is far from exhaustive, it points to the need to integrate cyber risks to the wider enterprise risk management and value chain, linking it to the business.  The rapidly changing technological landscape necessitates the ability to improve decision-making while being totally conscious of cyber risks.

This approach not only shapes our understanding of evolving cyber risk scenarios but also allows us to evaluate potential  “black swan” or “gray swan” scenarios.  As such, organizations can evaluate cyber risk capital investments, including the trade-off between security and efficiency, from the perspective of the potential return on investment for those activities.

Magda Chelly

Cyber Risk Consulting Leader, Marsh Asia.