Building a cyber resilient organisation begins with risk quantification

For Chief Information Security Officers and Chief Risk Officers, questions from the board on cyber risk are frequent.

One of the worst questions to be asked as a CISO in a boardroom is, “Are we secure?” In many ways, it’s an impossible question to answer because it’s intangible, and therefore particularly difficult to quantify.

 

What boards should ask instead, is “Are we resilient to material losses?” When boards frame the question like this, they are seeking an answer that extends beyond the CISO to include the Chief Financial Officer and CRO.

Material losses are foreseeable and have a realistic probability of occurring. In this context, we’re talking about actual, material losses – in other words, quantifiable losses.

Ideally, that’s the question boards should have in their mind, but it’s not clear that most do when they pose the question every CISO dreads, about whether the organisation is secure.

What makes managing cyber risk so challenging is the variety of unknowns.

There are sentient and artificially intelligent bad actors out there, on one end. At the other end are businesses whose goal is to expose more value to more people, through more channels, at higher velocity.

”What makes managing cyber risk so challenging is the variety of unknowns.”

Successful businesses scale out their opportunities. They’re innovating to do that, but the bad actors are also innovating to commit cyber crimes, and the CISO is in the centre, trying to support one and thwart the other.

A CISO’s job is to protect the business, to invest in controls to reduce the likelihood of loss. For the CFO or CRO, or whoever is the ultimate buyer of insurance, their job in part is to transfer risk away from the business.

What the CFO is really doing is transferring risk away from their organisation’s treasury or capital reserves. The key question in doing that job well is, “How do we make capital-efficient investments in controls and in risk transfer to protect our reserves?”

An organisation’s insurance limit is a mathematically unambiguous, empirical expression of its risk tolerance. It’s akin to saying, “Our organisation does not want to lose more than $X million.”

Anything that goes beyond that is made up by the organisation’s reserves, and the difference is a tail that extends beyond the insurance limit.

”Losses can exceed risk tolerance. Therefore, boards should ask, “Is the magnitude of that tail acceptable?””

It’s important to consider this in developing a cyber resilience strategy. Losses can exceed risk tolerance. Therefore, boards should ask, “Is the magnitude of that tail acceptable?”

Some people mistakenly believe they can simply invest in more coverage, so they only have a 0.0001% chance of exceeding their risk tolerance.

But the reality is, an insurer is not going to want to partner with you on that risk if you don’t demonstrate good cyber hygiene, or if you don’t demonstrate that you’ve invested in risk controls.

Who’s going to take the hit from a cyber loss? The insurer.

Focusing on mitigation and transfer

Effectively managing cyber risk entails integrating mitigation and risk transfer.

If an organisation is good at protecting itself from cyber losses, insurers will be more willing to give that organisation more limit and a good premium.

But the organisation needs to mitigate and transfer risk in relationship to its actual value at risk. Without quantifying the value at risk, it is impossible to adequately protect the business.

The National Association of Corporate Directors (NACD) noted the importance of cyber risk quantification in its 2023 “Director’s Handbook on Cyber-Risk Oversight.” The NACD included in its citations a book that Douglas W. Hubbard and I wrote, “How to Measure Anything in Cybersecurity Risk.”

”What is needed is a strategic, grounded approach to mitigating and transferring cyber risk, and that starts with collaboration in quantifying the risk.”

Similarly, financial regulators such as the Securities and Exchange Commission are implementing cybersecurity reporting requirements, without being overly prescriptive, the economic language the SEC is using is stronger than we have seen in the past.

Against the backdrop of global economic challenges, financial headwinds are making organisations consider how they can tighten their purse strings without incurring moral hazard. That is, when an organisation has insurance, the existence of that loss-funding source can serve as a disincentive to reduce risk.

What is needed is a strategic, grounded approach to mitigating and transferring cyber risk, and that starts with collaboration in quantifying the risk.

Unite the silos

In most organisations, the CISO, CFO and CRO all operate in silos. Protecting a business, however, demands collaboration.

If these C-level leaders aren’t working together to quantify the risk, that’s truly unfortunate, given their shared objective. After all, the impact of risk on a business is always financial, whether that occurs in dollars, pounds, euros, or some other currency.

They should be working to define a strategy to keep the business within its risk tolerance. And they should be working from a shared objective. That modern objective is, “make the business resilient to material loss.”

Each function performs different roles, but they do so with a common “material” objective. As it stands for many organisations today, the CISO, CFO and CRO are each performing their jobs independently and largely unseen.

”The CISO and CRO should be quantifying those risks, and using that as a way to roughly rightsize how they invest in their insurance and mitigation.”

Imagine playing tennis where neither player can see the other side of the net. One hits the ball and the other takes it, does whatever they want to it, and it comes back over the net. In that situation, the players might think they’re playing the same game, but they really are not.

Cyber risk has knowns and unknowns. But businesses can – and should – look at the things they do know about.

The CISO and CRO should be quantifying those risks, and using that as a way to roughly rightsize how they invest in their insurance and mitigation. If people say that’s impossible, they’re lying to themselves.

A consumer mindset tends to influence people in these functions, causing them to think they can buy their way to more security. Security folks are going to buy security things. Insurance-minded folks – CFOs, CROs, Risk Managers – are going to buy insurance.

The problem is, they don’t speak to each other, and they don’t have a shared objective: to be resilient.

Rich Seiersen is the Chief Risk Officer of Resilience, a company that helps financial, risk, and information security leaders continuously improve their organisations’ cyber resilience.