Data breaches are costly. According to a recent study conducted by The Ponemon Institute, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there’s still a discernible impact on the organisation’s stock valuation three years post-event. Josh Lefkowitz delves further into the detail.
Business impacts at this level affect the fundamental financial performance and sustainability of an organisation, which means cyber security must no longer be considered an IT issue. Rather, it’s a matter for the Board in its role as custodian of shareholder value.
By managing cyber risk as part of the overall organisational risk strategy, Boards can put it into a commercial context and drive the cultural awareness of risk that’s essential to promote cyber resilience across the business.
Elevating cyber risk management to Board level is not without its challenges, though. We’re still very much in the midst of a shift in mindset from a technology-centric to a business-centric view of cyber threats. This can result in a disconnect. Many Boards find it difficult to interpret the information they receive from the IT team, while many IT functions struggle to understand what data the Board really needs to carry out effective oversight.
This challenge was underlined by recent EY interviews that found difficulties “obtaining relevant, objective and reliable information presented in business-centric terms…[and this] affects Board members’ ability to understand the risk facing their organisations and evaluate management’s response to these risks.”
This area is where the evolving role of the Chief Information Security Officer (CISO), sitting between the business and the Board, requires a mix of skills. CISOs need both technical expertise in analysing and interpreting threat metrics and technology performance and the ability to apply these skills in a broader business context for Board directors such that they can deliver strategic cyber risk oversight and governance for the business.
From numbers to narrative
While Boards are increasingly factoring cyber skill sets into their succession planning when recruiting new Board members, most current Board directors don’t have deep experience in cyber security. This means that any metric-based reporting should be simple to interpret, including auditable figures that provide an overview of the organisation’s security posture.
Reports should also be framed in terms of the impacts specific security incidents have on the business. For example, a DDoS attack might cause reputational risk, operational risk and strategic risk. Of course, the flipside of risk is compliance, so the Board also needs to know how cyber security incidents could impact data privacy and governance.
It’s the role of the Board to challenge senior management robustly in order to deliver effective oversight. That being the case, CISOs should be ready to answer questions around the organisation’s cyber security maturity and the frameworks established to manage emerging threats.
However, while numbers and frameworks are valuable in helping Boards evaluate and audit cyber risk posture, when it comes to setting a risk-aware culture, directors really need deeper context around the types of threats specific to their organisation. If Board directors are given a window into the environment, tactics and motivational psychology of actors that target their sector and business, they can better understand the risks themselves. Once that has been achieved, Board directors can become an asset to the CISO in promoting a cyber risk-aware culture not just as a tick-box exercise, but because they have genuine appreciation of the factors – and, indeed actors – in play.
To achieve this Board-level buy-in, CISOs need to move from numbers to narrative in order to drive the message home. This is where business risk intelligence provides the context that helps bring risk to life.
It’s undoubtedly useful for senior leaders to understand the frequency and type of the cyber attacks the business experiences, but it’s also valuable for them to know the extent to which the organisation is the topic of conversation in the illicit online communities that initiate those attacks.
Deep and Dark Web forums, chat services and other platforms are often where cyber criminals discuss tactics to defraud or infiltrate the organisation. These types of venues are also where company secrets, Intellectual Property and stolen data may be offered for sale. An overview of the company’s profile across the Deep and Dark Web, as well as other illicit online communities, and the kinds of tactics that are being discussed is a powerful way in which CISOs can help directors gain context to understand what the business faces.
Illustrating third party risk
Third party risk, including supply chain weaknesses, is a hot topic among Boardrooms as businesses realise that keeping their own house in order is not enough. Intelligence gleaned from illicit online communities can also be used to illustrate potential weaknesses in – or threats posed to – partner organisations. This intelligence can help Boards meet objectives to manage supply chain risk.
Successful cyber risk oversight by company Boards of Directors relies on them receiving a combination of auditable metrics, risk impact assessments and contextual information, in turn enabling them to provide informed oversight of cyber risk.
Greater understanding of the threat actor environment also assists Boards in leading a risk-aware culture across the business, moving from a tick-box approach towards a genuine cultural shift.
Josh Lefkowitz is CEO of Flashpoint