view from inside a missile silo
PHOTO: Aron Van de Pol

Why do consultants keep advising management and boards to consider cyber risk as if it is separate from all other business risks? Managing any single source of risk in a silo is almost certainly going to lead you to make incorrect, uninformed decisions.

Cyber is only one of many sources of risk that can affect the achievement of an enterprise objective initiative, program or project.

As I keep saying, it is not about managing risk — it’s about managing the organization and its success.

Increased, But Ineffective, Investment in Cyber Risk 

McKinsey's November article, "Cyber risk measurement and the holistic cybersecurity approach," is an interesting piece. It shares the evolving attitudes of executives towards cybersecurity. Quotes include:

  • “So far, we have not taken a big hit, but I can’t help feeling that we have been lucky. We really need to ramp up our defenses.”
  • “Digital resilience is one of our top priorities. But we haven’t agreed on what to do to achieve it.”

The article goes on to correctly note the investments companies are making to counter cyber risk, but also points out the absence of an "effective, integrated approach" to management and reporting in these efforts. Efforts to educate boards and committees are also ramping up, but again, not without issues. McKinsey points out that boards are "swamped with reports" but these reports are "often poorly structured ... with inconsistent and usually too-high levels of detail." Board members complained that these reports failed to convey the risk in terms of business processes. Poor writing and technical jargon also put off executives, leaving them struggling "to get a sense of the overall risk status of the organization."

I especially enjoyed this anecdote: "At a recent cybersecurity event, a top executive said: 'I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.'"

Related Article: 4 Information Security Trends for 2019

A Return of the Cyber Risk Silo

But then the article goes down the silo path, recommending chief risk and information security officers "create a list of critical assets, known risks, and potential new risks" and noting "The chief measure of cyber-resilience is the security of the organization’s most valuable assets."

True, this approach is consistent with guidance from ISO 27005: 2018 and NIST, but it puts the focus on information assets and not on the achievement of organizational objectives and success.

Why can’t they ask a simple question: "If we had a cyber incident, how could it affect the business?"

There’s going to be a range of potential consequences, each with a different likelihood. They could identify the level of harm that would be unacceptable and its likelihood.

Cyber is just one source of business risk. Businesses need to measure and discuss it in a way that enables it to be considered alongside other business risks, including legal, market, compliance, safety, culture, third party, and other sources of risk.

When management and the board are setting objectives and making strategic and tactical decisions, they need to see the big picture, all the things that might happen (risk). Looking at cyber risk separately from other sources of risk is simply wrong.

Related Article: Stop Managing and Start Taking Risks

Siloed Thinking Leads to Uninformed Decisions

Why do people think cyber is risk #1 when they are not assessing how it could affect the achievement of key business objectives? What is the likelihood that a cyber incident would cause the organization to fail to achieve its earnings per share, market share, and other targets?

A new piece from PwC is no better. "How your board can better oversee cyber risk" doesn’t have a single question about what would happen to the business if there were a breach! Instead, it focusses on data and other information assets.

Until we consider cyber the same way we consider other sources of business risk — in terms of how an incident might affect enterprise performance, value creation and the achievement of objectives — management and the board will continue to make uninformed decisions.

I welcome your comments.