In 2012, as the importance of cybersecurity grew more apparent for business leaders around the globe, the World Economic Forum (WEF) launched a new initiative called the Partnership for Cyber Resilience. Since then, every yearly edition of the WEF’s Global Risks Reports have featured cyber risks front and center. As a PricewaterhouseCoopers (PwC) presentation titled “Threat Smart: Building a Cyber Resilient Financial Institution” put it: “Cyber risk is a business issue, not just a technology issue. Market leaders are finding that cyber risk management needs to be owned by the C-suite rather than by IT.”

In 2015, the WEF released a special report titled “Partnering for Cyber Resilience Towards the Quantification of Cyber Threats.” As Jacques Buith, the managing partner at Deloitte Risk Services, pointed out, “We need to be able to quantify cyber risks if proper cyber resilience assurance is to be achieved. Only then will management boards be able to take sound risk/reward decisions in this volatile world and thus secure their organizations’ cyber resilience.”

The report uses a cyber value-at-risk approach that aims to determine the value of x, or the amount of money over a period that businesses would lose in a successful cyberattack. The report also covers the different types of models from which to derive quantified risks: the Monte Carlo Method, Behavioral Modeling, Parametric Modeling and the Delphi Method, to name a few. Deloitte offered a more in-depth look at the relationship between risk and compliance, including measuring the status of risk governance.

C-Suites Must Have Knowledge of Cyber Risks

The WEF is not alone in pointing out the need for CISOs, CIOs, business executives and boards of directors to have more frequent, productive conversations around cyber risks and to properly oversee the effectiveness of controls deployed to mitigate them. Here is a sampling from the past year showing the level of interest — or, depending on your perspective, the demands from executives or directors — in the management of cyber risks.

  • A first-quarter 2015 New York Stock Exchange (NYSE) special report entitled “Managing Cyber Risk: Are Companies Safeguarding Their Assets?” pointed out that 42 percent of boards surveyed “admitted their board only occasionally discusses cyber/IT security.” Also, only 21 percent of the directors reported their company had “IT risk well under control with regard to a possible cyber breach.”
  • In 2015, NYSE Governance Services surveyed about 200 directors of public companies. The “Cybersecurity in the Boardroom” report highlighted a definite trend in the level of interest in the discussion of cyber risks in the boardroom: About 35 percent said that cybersecurity matters were discussed at every meeting, while another 46 percent indicated they were discussed at most meetings. Even more interesting is the perspective from the board that, in the event of a major breach, the order in which directors would hold leaders accountable for the breach started with the CEO, who was then followed by the CIO, the entire executive team and, in fourth place, the CISO.
  • An article titled “Do boards have a role in cyber-risk?” asked whether boards need a cyber risk expert within their ranks. The answer, so far, is no. However, for directors, the author noted that the “one thing you can’t do is escape responsibility.”
  • In 2015, PwC’s “18th Annual Global CEO Survey” showed that 61 percent of CEOs are concerned about “cyber threats, including lack of data security.” Cybersecurity was listed third in level of strategic importance (78 percent), just behind mobile technologies for customer engagement (81 percent) and data mining and analysis (80 percent). Additionally, 53 percent of CEOs reported cybersecurity as being very important strategically.
  • Finally, from a government regulation and oversight perspective, companies operating in the U.S. must pay attention to the tone and words from Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar’s address at the NYSE’s Cyber Risks and the Boardroom Conference on June 10, 2014: “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation and engagement on cybersecurity issues,” Aguilar said in his speech. “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Organizational Best Practices

So what’s an organization to do? First, download the National Association of Corporate Directors (NACD) “Cyber-Risk Oversight Handbook,” a resource that can be applied to an organization’s existing enterprise risk management (ERM) to track cyber risks. The handbook outlines five key principles for boards to properly oversee cyber risks:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
  5. Board management discussions about cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

Second, follow a cyber risk management methodology such as the U.S. National Institute of Standards and Technology (NIST) Risk Management Framework or the Australian government’s 2015 Risk Management Benchmarking Programme documents, which provide useful information for establishing and running a risk management program and selecting a target maturity state, as well as typical characteristics of the various risk management maturity levels for which one might aim.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read