CISOs carry the responsibility to explain the rest of the C-Suite that cyber-risks are not different from business risks and find quantified ways to prove that
There is a need for leadership executives to consider cyber-risk as another business risk because this lack of alignment is fast becoming one of the biggest causes of misalignment between the C-suite, the CISO, and the board. Another facet of the issue is also that many processes and tools used to manage and measure the business risk today have been in use much before cyber-risk became an issue.
Adding to the complications is the siloed structure of security functions where most resources have very little exposure to the other areas of business, and much less – business risk. Regardless of the reason due to which the misalignment exists, it proved to be problematic.
These days, business risks are not separate from cyber-risks. In fact, cyber-security threats are a key part of business risks- given that they can cause downtime, loss of brand image and thus business disruptions. Managing business risk effectively is only possible when cyber-threats are also accounted for and are aligned. Experts have observed that many business leaders are not from security backgrounds, and hence, they tend to be less familiar with security terminology and how security can impact the business and business risk.
Experts suggest that CISOs need to work on their language while communicating the risk posed by an unpatched vulnerability. The details and the instructions about the risk cannot be in the same words for the rest of the security team and the business-oriented C-suite.
Another challenge posed by cyber-risk is it the measurability challenge. Other business risks like fraud, compliance, operational and credit risks can be tied to business losses within the risk management and assessment process. In fact, these processes lead to the way C-suites justify resource and budgets allocation across business functions. In cybersecurity, there are far more unknowns and far less historical data to help security practitioners and risk analysts estimate these unknowns. In response to this, CISOs are seeking out the limited historical data and looking to threat intelligence, especially business risk intelligence (BRI) to better anticipate the most susceptible risks.
It is suggested to develop a risk appetite statement, which is a concise document outlining the types as well as, the amount of risk a company can and cannot tolerate, and also answers the ‘why,’ in the context of operations and environment. While solutions are in place, it has been observed that many businesses do not have a risk appetite statement. Even if they do, it was developed without the inputs and guidance from CISOs.
In the absence of a risk appetite statement, experts believe that the CISO must collaborate with the appropriate stakeholders, which generally includes the rest of the board, the C-suite, as well as other senior-level leaders and create such a statement that incorporates cyber-risk. If a statement exists, CISOs can also create a separate, but a complementary cyber-risk appetite statement, that also aligns with business objectives.
It is important to consider that the ultimate goal in both situations is to contextualize the business’s cyber-risk controls, cyber-risk, and supporting data above everything else. This also needs to be done in a manner that resonates with decision-makers and stakeholders across the enterprise.