How can cyber security practitioners help senior executives express appetite for cyber security risks in terms that are relevant the Board of an organisation?
Understanding the need to ascertain and express risk appetite is a task of self-discovery for any organisation. It helps crystallise the organisation’s true attitude toward risk and forces a hard look by senior management at how far it is willing to let the organisation walk on the technology risk plank. Risk appetite should answer the question as to which risk factors the organisation is comfortable bearing
and which it is not. It should transform risk discussions by making irrelevant the likely different interpretations of what is acceptable to live with each time a risk assessment or audit is performed.
As a starting point, a definition of risk appetite that links to the organization's Mission should be established. After all, the Board is there to achieve the Mission and if there's anything that threatens that you'll have their attention. Risk appetite: the amount of risk, on a broad level, that an organisaiton is willing to accept in pursuit of its mission.
A lazy way to express risk appetite could be to relate it to the results of risk assessments. For example, one could express risk appetite as a simplistic statement saying that the organisation is comfortable living with low and medium risks, but not with risks rated high or critical. The trouble with this approach is that it focuses on a rating that is one level removed from the risk itself and, as an abstraction of the seriousness of the underlying issue, represents the technology risk manager’s perspective.
A formal statement of risk appetite should therefore establish an objective scale against which risks could be measured and compared, and the risk rating determined thereafter. The formal statement of risk appetite could then provide the rationale as to why a particular rating is assigned to a finding, as opposed to the rating determining if the finding falls outside of the acceptable risk threshold.
So how does a statement of risk appetite manifest itself in a practical way? One way to think about it would be to consider the ways a risk could be realised, and then to think about the classifications, attributes or characteristics that the risk realisation paths bear. Statements of risk appetite should be explicitly tied to operational and financial performance objectives Risk appetite can then be expressed in statements that are clear, are stated in a way that supports protecting the achievement of business objectives and are agreed to by senior management.
Thanks Matthew for your very helpful answer. I have a worry though and it relates to the fact that Boards who set risk appetite are often not well informed about cyber risk. So they might express a zero tolerance towards any risk to personal data (given the potential fines for failure to comply with GDPR). However if they think that there is a simple technical solution then they could easily tie risk appetite to unrealistic or irrelevant operational performance objectives relating to those technical solutions. In other words they may say "We won't tolerate any risk here and we have expectations that technical defences will repel any attacks on personal data". And perhaps the technical defences do prevent internet borne threats from being realised. But the data gets leaked anyway because someone loses a memory stick containing the data. Boards who think that there are simple technical fixes, and that cyber is an IT problem, may fail to accept that the threat is organisation-wide and needs defences through processes outside IT, such as training, security process usability evaluation, awareness campaigns, and even cultural change programmes. In short, Boards may thing "cyber is a tech problem that needs a tech fix" rather than thinking "cyber is a strategic problem that needs tech, people, and process fixes across the whole organisation".
Is the question then more about how cyber security risk can be communicated to the board of an organisation to allow them to express risk appetite in an informed way? The term cyber risk is subjective and open to liberal interpretation. Take the Institute of Risk Management's definition of cyber risk: “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems”. This identifies IT infrastructure as the point of failure, making it seem that the risk is the preserve of the IT department. The board therefore usually sees cyber risk as an IT issue. This is counter-productive. A more productive definition might be to say that cyber risk is the risk of compromise of business operations orchestrated via the IT infrastructure.
Managing risk needs to be seen as vital to the sustainability of the organisation. If you compare cyber risk management to the management of sales projections, marketing initiatives, customer relations etc, you see that they have similar characteristics - they are all forward thinking, they all involve assessment, analysis and prediction, and they can all influence the direction the business takes. Having recognised that, it’s possible to see risk as a strategic motivator and to place risks in context in terms of the business, how it operates and what the impact might be of the realisation of that risk on the business.
When communicating cyber risk to the board, you should use the same language as the business otherwise the interpretation of risks can differ. So think about what the board needs to know, and seek to make risk relevant to the business and stakeholders – this is the only way to ensure an enterprise-wide risk strategy.
However, a conversation is a two-way process and the onus is not just on the CRO or CISO. The board also needs to increase its understanding of cyber threats and that means brushing up on cyber security. This will enable the board to appreciate risk as a necessary element of its defence and security as a function that enables the business to operate effectively. Risk managers can help here by creating opportunities to help educate the board on cyber security issues, generating discussion around the topic, and devising programs that address emerging threats.
Common ground is then created which generates a greater sense of trust between senior management and IT. It’s only at this point that the board can begin to ask the right questions and enter into a meaningful dialogue about risk appetite.
Thanks. I think you answer the question very clearly. Your point about defining cyber risk is very significant. Perhaps you could extend your definition a little further and say that it involves the risk of compromise of business operations orchestrated via the use of digital technology (so internet connected machinery and IoT devices, not just IT infrastructure) by the organisation or any of its stakeholders including suppliers, customers and prospects (that extension covers off third party risk as well as some of the reputational damage issues caused for instance by social media).
But the crucial thing, as you say, is the compromise to business operations and not just IT operations: that's why the Board needs to get involved. I think that the difficulty many Cyber security/IT professionals find is in expressing these risks in terms of business operations, strategy and reputation, rather than simply talking about bits and bytes which will hold little interest (or indeed meaning!) for many Board members.