GIVING THE BOARD WHAT THEY WANT 1

GIVING THE BOARD WHAT THEY WANT

As recent times have shown, unanticipated events can shake up an organization and even an entire economy at any moment. It comes as no surprise then that managing risk effectively will be the key to staying agile during these turbulent times. Whether the risk is cyber, regulatory, environmental, financial or other, organizations need visibility and understanding of their risks in order to make better business decisions.

Despite the importance of risk management, a survey by PwC found that only 27% were ‘very comfortable’ that the Board is getting adequate reporting on cyber and privacy risk management metrics (2018). Clearly, risk managers need to be doing more to ensure that risks are managed and reported adequately.

The simple truth is that risk managers are not fortune tellers and they cannot predict the future. Their role is to identify, assess, evaluate and review risks that can affect a business, then make recommendations that can lower the frequency and magnitude of damaging events. With the chance of experiencing a data breach and the cost of a data breach both rising from 2018 to 2019 (Ponemon Institute, 2019), boards are recognizing the importance of effective cyber risk management. This paper describes how to give the board and senior executives the information they need to manage risk effectively and make better decisions.

“The simple truth is that risk managers are not fortune tellers and they cannot predict the future. ”

TABLE OF CONTENTS

SECTION 2 Identify, assess and report

SECTION 3 So, what does good security look like?

SECTION 1Start with the basics

GIVING THE BOARD WHAT THEY WANT 2

Ultimately, senior leaders want to know whether they will achieve their objectives and targets – for this is what they are judged and rewarded on. For many executives, the primary objectives are financial – earnings growth, sales targets, economic value added, efficiency savings, market share, etc. However, executives and managers also have an objective, not always stated explicitly, of delivering within the constraints of the law, regulations and the ethical frameworks demanded by society. If executives fail on these latter obligations, they are unlikely to achieve their primary targets.

Management therefore creates strategies and allocates resources with the aim of achieving its objectives in the broadest sense. They then monitor performance against these objectives, adjusting as necessary in response to ‘business as usual’ issues and events that arise. If it is possible that events could arise that will significantly affect the chances of achieving targets, management wants to know about them.

To grab the attention of executives, risk managers need to speak in the language of business objectives and targets. They need to provide executives with the following information in ‘close to real time’:

• An overview of the identified risks (e.g. the Top 10 risks within each part of the business)

• Whether the ‘residual risk’ is within acceptable tolerances, i.e. within the ‘appetite for risk’

• The level of compliance with control standards that are being applied to mitigate risks

• If necessary, the actions that need to be taken to bring the residual risk within risk appetite

• Progress monitoring to track actions through to completion

SECTION 1 Start with the basics

SECTION 1

GIVING THE BOARD WHAT THEY WANT 3

This information needs to be present and consistent for each part of its business model, with aggregate views for the entire enterprise. Only then, will they be adequately informed to make business-led decisions. However, valuable information is rarely presented in real-time in a simple attractive form that provides ‘at a glance’ understanding of current risk status. Instead, where risk information is presented, it more-often consists of either:

GIVING THE BOARD WHAT THEY WANT 4

Incoherent risk and compliance information, typically characterised by:

• Statements of theoretical risks against some scale not linked to business performance or risk appetite

• A confused mix of genuine risks and ‘business as usual’ problems

• Weak linkage between risk management and compliance management such that poor compliance (e.g. leaving sensitive personal records unencrypted on an unpatched server) doesn’t register as a massive unacceptable risk

• As a result of a, b, and c, long lists of ‘risk-related actions,’ many of which are never completed because managers can’t see the benefit in relation to their business objectives and targets.

Narrow, focused risk information that misses the ‘big picture’. This is typically characterised by statistical calculations of ‘value at risk’ from a vast array of individual risks but no overall aggregate view of the material risks to achievement of business objectives.

SECTION 1

Identified risks get categorized into a series of risk registers, perhaps relating to different business areas. It is then the register owner’s responsibility to assess risks, specify mitigating actions and allocate these to “action owners.” Risks that exceed certain thresholds can be escalated to higher level registers, and ultimately to senior management.

The vast majority of avoidable business disasters or failures occur because those executives with the power to take action to avoid or mitigate the risks aren’t aware of the true risks. This is probably because traditional qualitative methods of calculating risks categorize using high-medium-low labels. These methods are subjective, ambiguous and biased, therefore providing limited direction or value to the business (if any). Rather than providing answers, this method creates more questions; for example, “what really is a low risk,” “when does a medium risk become a high risk” and even “how many mediums make a high risk” etc.

The result of such approaches is usually a bureaucratic log-jam with risk registers and long lists of actions being created and summarised into management reports. Since the risk reports don’t provide clear credible information that management can take action on with confidence, they aren’t taken seriously. As a result, management still doesn’t truly understand its real risk position and remains vulnerable to falling short of achieving its objectives and targets. It is no wonder that consultancy firms such as McKinsey say that “risk managers are flying blind.”

Identify, assess and report

SECTION 2

SECTION 2

GIVING THE BOARD WHAT THEY WANT 5

GIVING THE BOARD WHAT THEY WANT 6

2020Travelex got off to a bad start to 2020 when a ransomware attack caused severe disruptions to their business. It was reported that the firm had failed to patch servers, despite various warnings. This case highlights that organizations not only need visibility of their risk (which reports indicate they had), but proof that staff continue to make progress so vulnerabilities cannot be exploited.

2019The Information Commissioner’s Office (ICO), the UK’s independent regulatory body, announced their intention to fine British Airways £183.39 million. Due to poor security arrangements, attackers were able to harvest personal data of approximately 500,000 customers.

2018Nearly 50 million Facebook accounts were compromised as attackers exploited a vulnerability. In fact, the ICO reported that “even after the misuse of the data was discovered, Facebook did not do enough to ensure adequate and timely remedial action.” The Guardian noted that Facebook shares fell approximately 3% following the disclosure. Had this happened post-GDPR, the fine would could have reached up to 4% of their total global turnover of the preceding fiscal year.

2017Attackers targeting Equifax exfiltrated hundreds of millions of customer records by exploiting a widely known vulnerability. The ICO found that Equifax had failed to undertake adequate risk assessments and / or where risks were identified and failed to ensure adequate security measures were in place. Dark Reading estimates that the data breach will cost Equifax at least $1.38 billion over the next five years.

SECTION 2

High profile cases

GIVING THE BOARD WHAT THEY WANT 7

As these examples show, in some cases data breaches are avoidable with the basics in place. Whether it’s servers that need to be patched or sensitive data that needs to be encrypted, organizations should seek to provide management with continuous visibility of risks in relation to business objectives and risk appetite. Progress of these risks need to be also measured to ensure that risks are not only identified, but also appropriate measures are being taken to mitigate them. By assessing risks in financial terms, a language that executives do understand, better risk decisions can be taken with confidence.

Steve Durbin, managing director of the Information Security Forum, says the common understanding within the organization is critical. “The challenge for security is to be able to translate security metrics into a form of reporting that is relevant and understandable to a senior audience and aligns with and supports the assessment of business performance and ultimately business risk,” he says.

SECTION 2

So, what does good security look like?

SECTION 3 SECTION 3

A good board conversation should be aligned with business strategy and encourage two-way engagement. By eliminating the guesswork and presenting financially focused information, risk managers should be able to address management’s key concerns. This may seem simple enough, so why aren’t all firms modernizing their approaches to cyber risk management? Well, previously firms didn’t have the required data to quantify risks, but scientists such as Douglas Hubbard have paved the way.

In recent years, we’ve seen firms adopt quantitative methods to put cyber risks in financial terms based on hard facts. This has allowed organizations to truly understand risk, model the impact of mitigating controls and therefore justify investments.

With such rich data available, business leaders and technical teams can now align strategically. So how should it be presented? Well, there is no right answer. Executives have specific preferences and requirements when it comes to reporting, but the aims and objectives remain fairly standard. We’ve listed some examples of reports that add value to board conversations.

GIVING THE BOARD WHAT THEY WANT 8

At any moment in time, business leaders should have access to the following information:

Top 10 risks across the business

Top 10 risks within a key business unit, process or department

Aggregate risk status across the enterprise, compared to management’s tolerance

Management should also be able to drill-down to investigate specific risks of concern and to identify the significant control weaknesses that are contributing to unacceptable risk levels.

Other details and reports may also be of interest to the board, so it is important that information is easily available and accessible to those who need it. Business Intelligence tools could also be considered for presenting the necessary data and visuals.

GIVING THE BOARD WHAT THEY WANT 9

SECTION 3

Modelling the return on investment (ROI) from new security technologies and services

Prioritization of control improvements

Compliance status against relevant laws, regulations and standards.

Compliance-focused approaches to risk can no longer satisfy the board’s needs. A risk-based approach to cyber security provides the required data to determine priorities, make decisions and understand ROI.

Quantitative assessment of risk is a fundamental requirement. It is vital that firms rethink their communications with the board in order to report effectively and help drive business strategy. There are various ways to present the data, so it is important that it is available on-demand and in a form which can be easily understood.

TAKE CONTROLOF RISK

For further information on STREAM or Acuity Risk Management:info@acuityrm.com | acuityrm.com

Acuity provides holistic, quantifiable cyber, IT and operational risk intelligence enabling companies to embrace digital opportunities and manage smarter, more resilient businesses. Through extensive and integrated qualitative and quantitative analysis and reporting, Acuity delivers the insights to executives necessary to be smarter about risk and prepare companies for the challenges created by an increasingly connected world.