Various surveys in recent years have created the impression that companies are getting serious about cybersecurity, no doubt helped by the huge rise in attacks during this most unusual of years. Yet scratch beneath this veneer, and actual investments are few and far between.
There are many possible reasons for this, but a fundamental lack of cyber-risk literacy is foremost among them. Without a proper assessment of the risks at hand, even if communicated for a lay audience, it’s impossible to make informed decisions.
The best cyber risk assessments not only include a range of third-party evaluations, but also an accurate and robust assessment of things such as the culture and capabilities of the business, the governance policies in place, and the financial risk of attacks. These reports are valuable because they allow boards to understand the risk their organizations face, even while not having strong technical skills.
Cyber risk assessments provide you with many things, but on a rudimentary level, give you an overview of the robustness of your cyber defenses. The risks associated with poor cyber resilience should be all too familiar to executives, with a daily stream of news about cyber attacks crippling networks, leaking data, and embarrassing brands.
To date, many of the attempts to muster this cyber resilience have been poorly established, due in large part to the fact that many of these efforts look backward rather than forwards. Assessments are made based upon previous attacks rather than on future attacks, and while it’s inevitable that efforts will need to be made to shore up defenses that have already been breached, it’s an approach that can ensure attackers are always one step ahead.
Similarly, assessments can look excessively at systems that are connected to the internet for vulnerabilities. While such systems are undoubtedly at risk, the focus on a relatively small subset of an organization’s IT infrastructure overlooks the nuances of robust cybersecurity, such as attempts to deceive hackers who might be studying systems for weaknesses.
These approaches separate cybersecurity decisions from the very businesses the systems are designed to serve. Technical assessments often become a box-ticking exercise for security staff and largely fail to provide actionable and risk-oriented perspectives that take account of both the financial and business aspects of cybersecurity. They also tend to overlook vital aspects of defense, such as the culture of the business, its governance and decision-making practices, or even the appetite for implementing the kind of security practices required to be truly secure.
A truly valuable cyber risk assessment first needs senior managers to fully understand what a good assessment looks like. What do they need to know to ensure their business is secure? How will this information mesh with the strategic goals of the business? Obviously, this will vary from company to company, but there are nonetheless some commonalities that can help to guide discussions.
Firstly, you should strive to understand and define your appetite for risk. It’s increasingly believed that it’s not a case of if organizations will suffer from cyber attacks but when. What risks might the organization face, and how significant would they be to the operations of the business? What might customers expect from us as custodians of their data? How might our rivals be approaching cyber security? Answering these questions will provide the basis for what is to come next.
Once the appetite for risk has been established, you can then move on to what is it that your organization is trying to achieve? What outcomes will represent good for you? This question requires not only an understanding of your risk appetite, but also the level of investment you’ve put into cybersecurity in the past, and what level you plan to in the future. It will require an understanding of the expectations of customers and other stakeholders and even the regulatory landscape. These discussions should help to formulate internal targets and standards so that subsequent efforts can be held to account.
The final step is to then make the changes you’ve instigated a permanent feature of a culture whereby cybersecurity is at the heart of everything you do. It’s going to be vital for any successful cybersecurity initiatives you implement for culture and governance to be robust, and it’s impossible to achieve any significant outcomes without it. As Peter Drucker famously remarked, “culture eats strategy for breakfast,” as it provides a more sustainable and enduring basis as strategies flex and adapt to the changing needs of the moment.
Cybersecurity has failed to grab the attention of executives for too long, but as the number and severity of attacks rise, this is inevitably going to change. As such, a cyber risk assessment will be one of the key first steps the organization will take in understanding where they are and where they need to get to. Hopefully, this article will help point them in the right direction so they get off on the right foot.