EACC Insights: Cyber Risk Management – moving from the Wiring Closet to the Boardroom

By: R.K. Gardner, New World Technology Partners

Cyber incidents and concomitant security expenditures continue to rise unabated.  Boards are feeling that they have lost control, yet they let the technical teams continue to “wag the dog”.  It’s time for Boards to drive Cyber Risk Management like they drive all other enterprise risks.  However, to do so requires risk measurements they can understand- measures of CyberEnterprise Risk exposure.

Cyber Security is currently determined through the Wiring Closet Lens

Responsible IT hygiene, as suggested by Government (NIST) Frameworks and Industry Best Practices, may reduce cyber incidents by as much as 75%.  So-called GRC (Governance, Risk, Compliance) software guides Cyber teams through regulatory protocols. Yet current Cyber Security departments still measure their performance against questionnaires which determine “tiers” of preparedness by scoring IT training, monitoring and controls and projecting the likely cost of servicing breaches. In today’s highly interconnected and complex cyber eco-system, with changing adversarial threats and hidden systemic instabilities, this “wiring closet” perspective is no longer sufficient. 

Enterprise Risk looks through the Shareholder Lens

As enterprises’ cyber risk budgets are approaching tens and hundreds of millions of dollars annually, corporate Boards need better information to justify spending such large amounts.  When they cannot measure cyber exposure in the same way they measure other corporate (or sovereign) risks, they cannot integrate cyber into enterprise risk management policy. They have no basis to allocate prudent levels of expenditures and reserves or make public disclosures.

If Boards could measure their financial and reputation exposure, and how it relates to share value, capital, stakeholder trust and the legal and regulatory response that follows, they will have a sound basis to allocate resources and prioritize actions.

What should be measured? 

In the spirit of the Presidential Decision Directive (PDD) 63 in 1998 and Homeland Security Presidential Directive (HSPD) 7 in 2003, which identified critical infrastructure protection objectives in terms of financial, public confidence and public safety, we can help executives and public officials measure, indeed quantify, the financial, reputation and safety consequences of cyber risk in their enterprise. Examples include:

• Earnings, Earnings Per Share or Retained Earnings
• Capital or Risk Weighted Assets
• Free Cash Flow
• Client, Shareholder and Public Confidence
• Share Volatility

How? Today’s cyber-enabled Critical Infrastructure is a complex “systems-of-systems” composed of thousands of interdependent components and myriad channels. The rapidly changing socio-political environment faces high-impact threats from individual, group and state actors with shifting alliances, attitudes and agendas.  These complex systems give rise to systemic risks and exploitable vulnerabilities that, once triggered, have runaway impacts, leading to severe enterprise and (inter)national consequences. As a result, risk causes and consequences cannot be measured by a cyber analysis alone. It requires a system engineering approach with 2 characteristics:

1. Measuring activities and events from the widest perspective – from Adversary to IT Infrastructure to Business Operations to Enterprise Value – i.e. “Wiring Closet to Boardroom”… which in turn implies a measurement paradigm that integrates and concatenates technical, operational and financial systems in a single calculus.
2. Quantifying each element of the measurement stream using deterministic (evidence-based) rather than probabilistic methods.

Measures of such complex system behavior have been created before. Methods such as Failure Modes Effects and Criticality Analysis (FMECA) pioneered by Bell Laboratories in the 1950s holds special promise in this regard.  Several methods derived from that paradigm are available.

Then what? Here’s where the Board can respond to specific enterprise risk consequences.  They can set policy commensurate with exposure as they do with all other enterprise risk issues, such as market risk, credit risk, geopolitical risk, etc.

• Results of such measures can be correlated from many points of view, i.e. attack scenario, information asset, company project, time of day, etc. – providing the insight necessary to craft enterprise-specific Cyber Risk Policy, including:

1. Allocation of resources where risk acceptance, insurance/hedge, protections and response strategies can be set commensurate with earnings and cash flow exposure.
2. Establish evidence-based Capital Reserves against risk weighted assets (“too big to fail”)
3. Provide Prudent Disclosures – for both periodical (SEC filings) and incidental (industry breach)

• Board Duty of Care can be demonstrated.
• CIO/CISO teams can analyze “what-if” models to quantifiably determine the incremental cost benefit of Cyber Security and Risk Management adjustments and improvements.

Conclusion

When Board members can measure what’s at stake – in the terms that shareholders (or donors) use to measure performance – with the same quantitative nature as they use to manage other enterprise risks – they will respond accordingly. And the risk management policies they pursue will benefit the national interests in critical infrastructure along with their own enterprise self-interest. This approach applies to Federal Government Agencies’ Cyber Risk Management as well.  Agency and Program risks, breaches and failures have financial and public confidence consequences, which can be similarly quantified and considered in Risk Management Policy deliberations.