Does Your Board Really Understand Your

SECURITY & PRIVACY

Cyber Risks?
by Daniel Dobrygowski and Derek Vadala
September 01, 2020

Andriy Onufriyenko/Getty Images

Leer en español

Over the past decade, business leaders have had to face an uncomfortable truth: It’s become
impossible to sit at the head of a company and not address the threat of cyber risk. Cyber
attacks are increasingly pervasive and can present near existential threats to companies,

/
and boards of directors and CEOs need ways to evaluate them, even if they can’t grasp the
technical details. This has led to an explosion in the demand for cyber-risk measurements,
both inside companies and among external stakeholders.

While the methods for measuring cyber risk have evolved in recent years, thanks in part to
the efforts of credit-rating agencies, investors, and insurance companies, nothing can
replace informed decision-making at the executive level. As cybersecurity experts, we
believe that the time has come to not just to develop scores based on third-party
evaluations but holistic assessments that consider technical analysis, governance, culture,
and the financial impact of adverse cyber events. Such assessments should become a
necessary and powerful tool for corporate directors who — if properly trained in
interpreting them — could use them to understand their organization’s exposure to
technological vulnerabilities.

Becoming literate in cyber risk doesn’t mean that all executives need to become technical
experts. What it does mean is that they need to be able to establish their company’s
tolerance for cyber risk, define the outcomes that are most important in guiding
cybersecurity investment, and be able to foster a culture of cybersecurity and resilience.

What cyber risk assessments do (and don’t) tell you

At its most basic level, a third-party cyber risk assessment shows how well a company has
implemented defenses designed to protect it from a cyber attack, whether it is a disruption
of its products and services, a breach of its confidential data, or fraud driven by a
cyberattack. These assessments also measure how well a company has prepared itself to
defend against and recover from such attacks — its cyber resilience. This is a critical
component of its broader enterprise risk-management strategy. The risks of weak cyber
resilience are abundantly clear: Directors see a near-constant stream of news of network
access for sale, factory production being disrupted with a resulting in loss of revenue,
fraudulent bank wires, and breaches of customer privacy, all of which create lasting
reputational damage for the victim company.

/
During the past decade, the job of understanding and quantifying cyber risk has mainly
fallen to Chief Information Security Officers (CISOs) and their teams, who primarily
addressed the technical side of the problem. In making their assessments, they have tended
to focus on the number of previous attacks, their impact, and how quickly they were
addressed. Their goal, in short, has been to take stock of established defenses. The problem
with this approach is that it’s largely backward-looking. Assessments sometimes involve
looking at Internet-exposed company systems as an attacker might, and trying to
determine how vulnerable those systems are to attack. The problem with this approach is
that it often doesn’t consider the layered defenses that organizations might have in place,
including the efforts to intentionally deceive hackers attempting to study the organization’s
weaknesses, and so may reflect a narrower view of risk.

The most significant limitation of both of these approaches, however, is that they isolate
cybersecurity decisions from the business they are meant to serve. While technical
assessments may be sufficient for a CISO’s needs, they do not offer what the board really
needs: a risk-oriented, holistic, and validated view of the company that considers the
financial and business impacts of cybersecurity (or cyber insecurity) in a given company.
Moreover, technical reports don’t adequately capture attributes such as governance,
culture, decision-making practices, or wider treatment of a company’s cyber risk profile
and appetite, all of which board directors and business executives need to understand if
they expect to make informed decisions about whether to allocate capital to improve cyber
defenses instead of investing in other areas of the business.

How to get the audit you need

For an assessment to be useful to directors in a strategic capacity, the board needs to be
clear about its requirements — which means it needs to know what to ask for. Rather than
accepting a score at face value, or even a qualitative assessment from the company’s
technical managers or auditors, directors should ask for a comprehensive assessment: one
that moves beyond the technical details and that includes both an outside and inside
perspective. At the same time, cybersecurity managers should work with their senior
leadership and boards to provide context and use an assessment as a tool for sharing the
knowledge the board needs to provide effective oversight. When presented in this way –
assembled and shared by a trusted advisor – cyber risk information can be held up against /
other business risks and similarly weighed against particular strategic opportunities. This
won’t create perfect outcomes, but it will vastly improve companies’ understanding of their
cyber risk and provide a clear path for evolving oversight as the approaches develop.

What does this look like in practice? In order to make appropriate decisions, directors
need to understand what “good” means for their overall cyber risk profile, and what a
holistic assessment really entails (inside, outside, benchmarked, loss analysis). Additionally,
they need to set expectations for an outcome that is commensurate with the company’s
goals. Determining what “good” means will vary from company to company. Happily, this
means that there’s quite a bit that directors can do in order to ensure that the building
blocks are in place so their company can achieve the right outcomes when cyber rating and
assessment methodologies mature.

Define your risk appetite: The first thing directors should recognize is that the board
must determine the company’s risk appetite with regard to cyber-loss events just as it does
with any other risk. After developing an understanding of the subject and of what types of
risks its company faces, the board will recognize that “perfect” cybersecurity is not
attainable. Rather, it will come to appreciate that evaluating cyber risk — and reflecting on
any cyber assessment — requires the careful consideration of at least these two main
questions: 1) What do our customers expect of us? and 2) How do peer companies
approach these risks?

Focus on outcomes: Rather than jumping right to a ratings comparison, leaders need to
focus on the outcomes they’re trying to achieve. The right outcome is a combination of an
organization’s risk appetite, prior and future investment in cybersecurity, and expectation
of its customers, shareholders, and even regulators. No one would expect that a brick-and-
mortar retailer to have the same cybersecurity program and defenses as a top bank or
manufacturer of military equipment. (Consider the situation of a law firm, which needs to
worry a lot about a breach of private client data, compared with that of an electric utility,
which needs to worry a lot about an interruption in services.) Likewise, boards and
business leaders need to calibrate their expectations by determining their appetite for risk

/
and making investments in cybersecurity that are commensurate with their industry
profiles. Once this is decided, the board should set internal standards and targets and hold
management accountable for meeting them.

Establish a culture of cybersecurity and resilience: Governance and culture have a

critical part to play in any evaluation of cyber risk. Boards should assert their role in
ensuring that these aspects of the company’s cybersecurity program are paramount. While
there are currently varying approaches to measuring cyber risk, the right outcome always
starts with the right culture. Even as the measurements shift, culture is a driver of all
aspects of cyber resilience that can be measured — improvement in technical processes that
drive improvement in outside scores, management engagement in cyber relative to
business initiatives, engagement of the board in ensuring accountability in objectives.
Culture is also important because its indicators fluctuate less over time than technology
measures, which tend to shift as trends in computing change. For example, measuring
cybersecurity in a data center is dramatically different from measuring cybersecurity in the
cloud, but the cultural aspects of whether these environments are effectively managed are
similar.

***

As the market for cybersecurity assessments further evolves into holistic cyber-security
ratings, directors and business leaders need to pay careful attention to ensuring that
underlying measurements provide a true comparative benchmark, adequately consider a
balance between inside and outside measures, and fully examine the technical, governance,
and cultural aspects of an organization. In order to achieve this, transparency in the
methodologies used for assessing the risk is vital. But it is also crucial that organizations
properly set and manage a cyber-risk appetite, understand the range of financial impacts
that applicable cyber events may have on a company, and the role that good, well-informed
governance plays in mitigating them.

/
Daniel Dobrygowski is the Head of Governance and Policy for the World Economic Forum Centre for
Cybersecurity, where he advises on strategy, law, and policy around cybersecurity issues. His research areas include
privacy, election security, intellectual property, competition law, digital trust, and governance of new and emerging
technologies.

Derek Vadala is the CEO of Cyber Assessments, a joint venture between Moody’s Corporation, a global credit
rating agency, and Team8, a company-building venture group. Derek leads a team that is focused on creating a
standard benchmark for communicating cyber-risk in order to improve the global dialog about this important issue.
Prior to leading this venture, he was the Global Head of Cyber Risk for Moody’s Investors Service, responsible for
developing capabilities for evaluating cyber-risk and incorporating those capabilities into credit analysis.

This article is about SECURITY & PRIVACY

 Follow This Topic
Related Topics: Technology

Comments
Leave a Comment

Post Comment
0 COMMENTS

 Join The Conversation

POSTING GUIDELINES
We hope the conversations that take place on HBR.org will be energetic, constructive, and thought-provoking. To comment, readers must sign
in or register. And to ensure the quality of the discussion, our moderating team will review all comments and may edit them for clarity, length,
and relevance. Comments that are overly promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment. All postings
become the property of Harvard Business Publishing.