Cybersecurity has gone from “important” topic to “critical” topic, but the reality is that most businesses are still not treating it with the gravity it deserves. It is not for lack of trying though; this is just a big topic. In an article for Harvard Business Review, Jason J. Hogg prescribes a holistic approach for executives to apply cyber risk metrics uniformly across the organization.
A United Front
Right now, when cyber risk conversations occur in organizations, they typically occur (unwittingly) in silos. One unit discusses technical vulnerabilities as it applies to that unit, and they act on their own to patch those isolated problems. Communication never extends to a broader scale.
Hogg outlines these steps to create a common language about cyber risk that encourages organization-wide dialogue:
- Bring together the C-suite to create a realistic and integrated picture of the business’s exposure.
- Create a culture that encourages employees to talk openly about cyber risks.
- Build and regularly test an incident-response plan to cyberattacks.
- Build an internal function to conduct regular audits of company preparedness.
About the first step, Hogg writes this:
This includes: identifying critical data and assets that could be at risk; assessing technical vulnerabilities; understanding the threat landscape; appreciating the potential regulatory and compliance consequences of cyber attacks; quantifying the financial implications of attacks (e.g., business-interruption costs, lawsuits, remediation costs, loss of enterprise value, and damage to brand and reputation); and gaining a more accurate picture of the impact on shareholder value.
Regarding the second step, CEOs should get to know the actual people involved in cybersecurity for the business, so that CEOs can get a better understanding of how safe (or not) the business really is. Executives should also encourage teams to always think about changes (like technology changes) in the light of what it will mean for security. Security discussions must be normalized; they cannot afford to feel taboo or insulting to the business’s competence.
The incident-response plan that Hogg cites in the third step includes four parts: (1) preparation, (2) detection and analysis, (3) containment, eradication, and recovery, and (4) post-incident. You may want to bring in outside expertise to craft this plan. In any case, the ultimate goal will be to create an internal function to watch for risks, and Hogg recommends that this be led by a chief vulnerability offer of some kind. When these steps are implemented, you have a strong framework through which to discuss and monitor cyber risks in the organization.
For additional elaboration on each of these steps, you can view the original article here: https://hbr.org/2017/11/why-the-entire-c-suite-needs-to-use-the-same-metrics-for-cyber-risk