Network administrators, security analysts, and software developers have a technical approach to risk management, whereas executives and a business’ board of directors have an economic one. The board of directors wants to know the monetary impact and responsibilities surrounding threats and risk management. Because of their unique perspective, executives who answer to the board are wise to keep the board’s appetite for risk in mind. The friction between technical and executive approaches have their own unique challenges.
Most executive frustrations come from a lack of technical knowledge, yet they do understand that data breaches can result in exorbitant costs from litigation, brand damage, customer loss, and eventual monetary reparations. The Internet Security Alliance (ISA) published a report addressing cyber-risk and risk management from an executive standpoint and the direction executives should take to present a board of directors with reports to guide them in the process of protecting digital assets.
Small-to-Midsize Businesses are More At Risk Than Large Enterprises
A common theme among most executives is the misunderstanding that small and midsize businesses are insignificant to hackers. In fact, the exact opposite is true. Hackers know that large enterprises have the resources and staff to stop sophisticated threats, so they target smaller businesses known to have less knowledge, onsite staff, and effective risk management. These businesses can benefit the most from third party risk management consultants, but they often don’t have any strategy or motivation to engage consultants. It’s not until the business suffers from a severe and costly data breach that risk management becomes a corporate goal. In some cases, it’s too late and the business can’t survive the damage.
Enterprise businesses might store millions of customer records, but small businesses are more likely to be vulnerable to simple exploits. An aggregate of customer records from several compromised small businesses could still result in a seven-figure payout for cyber-criminals selling stolen data on darknet markets. Small businesses are less likely to detect a compromise, mitigate it effectively, and completely eradicate it from the environment, giving an attacker continuous data exfiltration opportunities from one initiative.
By the time boards for small businesses catch up, the cybersecurity landscape has already changed. It’s reported that approximately 4,000 ransomware attacks occur daily, and the number of zero-day threats continues to grow. Authors of threats like ransomware evolve their malware to bypass defenses, and small businesses don’t have the resources to keep up.
Boards for smaller businesses should know that large data volume is not necessary for attackers to make them a target. Cyber-criminals will exfiltrate records from several businesses, build lists from their data, and sell the stolen data on the dark web. With just a few hundred stolen records, the small business could be looking at enough damage to bankrupt them after litigation, incident response costs, and compliance fines.
Public companies might weather the multi-million dollar storm after a data breach, but they still suffer extensive monetary damage. Analysis of market performance after a data breach shows that share value falls immediately by 3.5% on average. After one year, share prices fall by 8.6% on average. After two years, the analysis shows that share prices underperformed by 11.3% and fall by 15.6% on average after five years.
Tech and finance companies see the most immediate negative impact, presumably because the public expects them to have the best resources available to defend against threats and the type of data stolen. When sensitive data including personally identifiable information (PII) and financial data are disclosed, the damage to stock prices is much more long-term, presumably from a loss in customer trust and loyalty.
Instead of being reactive to cyber-risk, ISA built principles to guide executives and their boards on how to manage risks. The ISA principles are a good guide for reducing frustrations and misunderstandings around the technical concepts associated with cybersecurity.
Five Principles of Cyber Risk Management for Executives
ISA’s guide covers five main principles for executives, mainly highlighting the importance of presenting cybersecurity strategies to the board and the cost associated with establishing and implementing security policies. For executives, the cost of cybersecurity programs must scale with business growth or it can blow the budget. Cybersecurity should not foil profitability, so the strategies brought to the board must align with business objectives.
The five principles are purposely vague to guide executives, allowing them to make decisions that fit their own business requirements. No strategy is a “one size fits all” solution. Executives and their boards should consider adopting these principles to have strategies that fit their own unique revenue, industry, workforce, locations, and infrastructure.
Principle #1: Cybersecurity Requires Everyone, Not Just IT
For years, executives threw the responsibility of cybersecurity on IT staff. Now, threats target people within the organization from network administrators to the receptionist. The weakest link in any organization is people, so cybersecurity strategies should be integrated into every workflow. Instead of leaving cybersecurity to IT, executives should create strategies that integrate directly into production including any employee “bring your own device” (BYOD) assets (e.g., laptops and smartphones).
Training employees to recognize threats that leverage human error––phishing and social engineering––is the first step, but executives should not forget third-party risks. Vendors, contractors, outsourced developers, business partners, and suppliers can also be targets for cyber-criminals. Enterprise organizations often have the best security infrastructure in place, but small vendors with small budgets might introduce vulnerabilities. Cyber-criminals make a point to target these vendors to gain access to the larger enterprise.
For executives responsible for bringing ideas and strategies to board members, consider presenting the costs associated with supply chain attacks and third-party risks. One of the most significant supply chain attacks was the SolarWinds compromise. Cyber-criminals injected code into the SolarWinds codebase, which was then deployed to customer servers. Governments, public infrastructure, and private enterprises unknowingly installed malware that allowed cyber-criminals to exfiltrate data. Strategies addressing third-party risk management and background checks for vendors can help reduce supply chain risks.
Principle #2: Legal Responsibility and Regulatory Requirements
Most corporations are responsible for following at least one compliance regulation. Included in compliance regulations are requirements for disclosure of a compromise to the public, usually in the form of a press release and then email contact to individual consumers. To add to federal regulations, individual states are adopting their own requirements. The board must consider communication with the public in its strategies for incident response.
The most notable state-level requirements are California Consumer Privacy Act (CCPA) and California Privacy Right Act (CPRA). Any business offering services to California residents must abide by these compliance regulations, and many states are adopting their own versions of California’s laws.
Before making public announcements, the board is often addressed to help decide on the next course of action. The board must understand the importance of time limitations (i.e., 72 hours in some cases), and board meetings should reflect conversations regarding cybersecurity and mitigation decisions. Legal representation might be necessary to make the right decisions, and public notification often does not require technical knowledge of a situation to take the next best course of action.
Principle #3: Cyber-Risk Expertise is Necessary
Executives and the board of directors might make decisions, but they need guidance from cybersecurity risk management experts to make the right decisions. The board might understand that threats cost money and cripple growth potential, but technical expertise is necessary to build strategies on corporate policies for risk management.
Risk management and cybersecurity are like any other industry – experience and knowledge come in many forms, and it takes a group of people to effectively provide guidance for an enterprise. Most boards look to a CISO (Chief Information Security Officer) to help guide them, and the CISO oversees various cybersecurity analysts and administrators to monitor and mitigate threats. A big challenge for the CISO is relying on staff to report incidents. The ISA report claims that 60% of IT staff wait to report incidents in an effort to mitigate them first and lessen the impact.
CISOs and board members should create policies that provide guidance for IT staff and other employees so that they have a layout for rules of engagement and reporting structures. Employees should be urged to quickly report incidents to reduce impact. They should know that time is of the essence, and quick reporting lessens the amount of time cyber-criminals have to exfiltrate data. IT staff should also have policies available to quickly mitigate, eradicate, and save evidence for incident response and investigations.
Collaboration with technical staff, stakeholders, executives, and board members result in effective reporting structures and policies that fit into corporate culture. Effective policies play a huge role in quick mitigation, which translates to a reduction in monetary damage for the enterprise.
ISA also recommends creating a committee for board advisories. At least 10% of the committee should be cyber-risk principles for knowledge sharing across the board. Risk management consultants can help the board build strategies around internal risks and third-party risks. Some boards have a single risk management expert on the board, but ISA suggests working with a committee of experts to get a more well-rounded view on incidents with several opinions on the right way to approach them.
Principle #4: Management Must Adopt a Technical Framework for Risk Management
Businesses with a board of directors are usually large enough to have complicated and extensive infrastructure. Adoption of emerging technologies give businesses a competitive edge, but at the cost of limited knowledge on common methods to secure them. IoT (Internet of Things), Blockchain, decentralization (also known as Web3.0), and artificial intelligence (AI) and machine learning (ML) are just a few examples of emerging technologies that also require data protection. Effective technical frameworks should protect current and emerging technology without immense technical debt.
Because every environment is different, it’s not uncommon for organizations to adopt specific parts of each common framework. The most common frameworks are:
- National Institute of Standards and Technology (NIST). NIST includes a 55-page PDF that lists over a hundred recommendations to detect and identify threats. It also includes recommendations for incident response.
- International Organization for Standardization (ISO). ISO focuses on security sensitive data and assets such as financial information and intellectual property.
- SANS from the Center for Internet Security. This framework helps businesses organize and inventory digital infrastructure.
- Payment Card Industry Security Data Security Standards (PCI-DSS). PCI standards focus on strategies for transfer and storage of consumer payment information.
With these standards in mind, ISA recommends using the three lines of defense model. Each line of defense is championed by a staff member and follows the framework decided by the board. Executives also decide the owner for each line of defense, and these staff members oversee day-to-day risk management efforts. The lines of defense are:
- Line 1: Basic monitoring and daily execution of risk management. Any staff member responsible for day-to-day operations can be nominated for the first line of defense. The staff member should know the environment and understand what must be done to monitor the network.
- Line 2: Define policies and build strategies around the chosen technical framework. This staff member helps the board define their risk tolerance and assess risk levels.
- Line 3: Auditor for reviewing and assessing effectiveness of the first two lines of defense. This staff member provides an independent review of policies so that they can be augmented as the cybersecurity landscape changes.
Principle #5: Measurements and Reports
Every stakeholder wants to see the cost/benefit analysis for the business risk management expenditure. Reports are commonly distributed to the CISO after an incident, but they provide highly technical information for future investigations and budgeting for additional cybersecurity infrastructure. A board of directors works with a more quantitative approach that breaks down “risk appetite.”
Risk appetite is the term given to the amount of risk an organization is willing to absorb. The board must decide the amount of risk that can be absorbed before investing in strategies to stop it. Some risk has very little monetary impact, so it would cost more to build strategies to stop it. This balance between risk and strategies is the board’s risk appetite.
Metrics and analysis are necessary to determinethird-party risk management, the board’s risk appetite, and it will be unique to specific business requirements, industries, and compliance regulations. Risk appetite might evolve as the board is presented with future reports into common threats and the organization’s current monitoring and defense capabilities. Also, risk appetite and strategies might change as the business continues to grow. In other words, the board must make monetary decisions to determine which threats will impact the business and require a slice of the IT budget.
Risk Management Guidance for Executives
At the heart of all good executive cybersecurity strategies are the consultants behind it. Whether it’s to sit on an advisory committee for a large enterprise or a consultant for a small business board of directors, risk management consultants provide essential information to executives so that they can guide the board to effective cybersecurity strategies.
Access Point has professional and experienced consultants that can help shape the success of your board’s strategies. Find out more about Access Point's approach to security consulting, regulatory compliance, and managed security.