by Dawn Dunkerley
Contributing Editor

Our third and final blog in our series on “How to manage cybersecurity risk in the board room?”

Where do we start and what do we ask?

Our cyber practice is hit with the dreaded “D” word in meetings and requests from senior clients almost daily. A “Dashboard”, however, is just a tool to aid in governance of cybersecurity practices and not one set of metrics that will fit the needs of every organization. This lack of uniform metrics is not driven by different technology stacks or access to resources (which can vary from industry to industry and market to market). The bespoke nature of a board-level cybersecurity dashboard exists because business models differ between firms and the assets they own and/or operate. You would not expect the risks to an airline to be in line with those of a hospital administrator or eCommerce platform developer.

Of course, there will be overlaps in threats and vulnerabilities across a swath of industries, however, even two operations within the same firm can have different value drivers, and this is precisely where to start managing cyber risk.

A quick anecdote: one of our clients is a large specialty lines reinsurer. Their new Chief Information Security Officer (CISO) requested ~$150,000 in capital from the board to write software which prevented employees from sending unencrypted credit card details over email. The request was roundly rejected, and rightfully so, when it came to light that less than 5% of revenues were collected through credit card payments and a simple company-wide memo to all accounts receivable staff would be equally as effective. The funds were, instead, redirected to shoring up the network rules governing SWIFT payments which accounted for closer to 70% of revenues and had known vulnerabilities that needed to be patched.

Start by understanding what drives value in your organization and the risks associated with those drivers.

With value drivers and risks identified, mapping impact to specific systems becomes simpler and infinitely more accurate although still requiring analysis and thought. Now is the time to call upon the operations, the CFO’s organization, and the IT group to really dig into the likelihood, potential severity, and mitigations available given your position.

By running a structured process around cybersecurity as another form of business risk, a fundamental shift in the conversation takes place.

  • Technical information on the availability of servers or systems becomes a metric on the execution or efficacy of an improvement project.
  • A red mark on a compliance audit becomes an actionable capital request to be considered, weighed against various options and risks and carried out with transparency

Can it really be simplified down to this level?

Simplicity is the ultimate form of sophistication, but it is not synonymous with easy. Technical know-how is still a requirement for managing cybersecurity in a world that becomes ever riskier with each layer of digitization. The job of managing risk really can be codified into a process and summarized at a commercial level which even the most luddite of managers can wrap their head around. The model of your firewalls is of critical importance but no more so than knowing there are robust processes in place to patch the firewall when a new vulnerability is identified. Rapidly failing-over to a backup or manual system in the event of an outage can be complex, but knowing that the process for doing so is understood and practiced by a systems users on regular intervals is a capability in any good manager’s skill set.

Alignment is never a simple task, and rising cybersecurity threats driven by digitization and an evolving world or commerce only make it more critical than ever. Cyber is a board member’s concern, and managing the risk is not as daunting as it can seem.