Published in Risk & Compliance Magazine: https://riskandcompliancemagazine.com/challenging-the-status-quo-roadmap-for-moving-to-roi-led-cyber-risk-management
In an April 2021 interview with CBS’ 60 Minutes, Jerome Powell, Federal Reserve chairman, stated that cyber risk is the current risk deserving his attention “rather than something that looked like the global financial crisis [of 2008]”.
The news regarding cyber assaults on companies around the world has become all too familiar. The threat is well recognised and, as a result, organisations are spending massive amounts of money on cyber security. Yet the attacks and ensuing damages continue.
When a cyber incident occurs, executives and their boards of directors are surprised and shaken. How could this happen given their intense focus on new defensive technologies and active monitoring and analysis?
The primary emphasis of cyber solutions may actually be the problem. The root cause of many cyber risk events is found in the interrelation between technology and other areas of business – people, processes and third parties, which can be a blind spot due to limited control, come into play. Companies attempting to drive better risk management via a three-lines-of-defence (3LoD) model have typically failed because they did not create the necessary collaboration between cyber security, their business units and enterprise risk management (ERM).
Current State of Affairs
The statistics are mind-numbing. There were almost 3000 publicly reported breaches in the first three quarters of 2020, a 51 percent increase from the same period in 2019. Through Q3 2020, a record 36 billion records had been exposed, according to Risk Based Security, Inc.
Perhaps capitalising on the increased number of people working from home in 2020, ransomware attacks increased sevenfold over those detected in 2019. The average ransomware payment in Q1 2020 increased 33 percent to $111,000 compared to Q4 2019, according to Coveware.
A typical data breach for a large company leads to a data loss of 10 to 99 million records and an associated hit to the company’s value of over 7 percent, according to iomart. As a result of a breach, customers in the tens or even hundreds of thousands feel that their trust has been broken and decide to take their business elsewhere. Global cyber crime annual damages are in the trillions of US dollars. Damages can include theft of funds and intellectual property (IP), theft of personal and financial data, data destruction, lost productivity, cost of investigation and restoration, and reputational harm. Senior executives recognise that cyber risks must be addressed and want solid answers with conclusive results. So, companies are aggressively adding staff and technology solutions. In many cases, this includes the application of new or added layers of digital defence, putting up fences to protect anything and everything, adding markedly to cyber-related annual spending.
The costs can be significant. In June 2020, Gartner reported that worldwide spending on information security technology and services was anticipated to reach $123bn by the end of that year. According to CNBC, in July 2019, cyber security budgets for the two largest US banks — JPMorgan Chase and Bank of America — had swollen to a combined $1.4bn annually.
The solutions offered, however, tend to be reactive and inefficient, with little effect on the number or impact of attacks. Security investments are often made without regard for the return on investment (ROI) and, once those new tools and controls are in place, there is typically little effort to revisit the decisions, rationalise control structures against current risks, and eliminate ineffective systems.
A Losing Proposition
Why are companies and their resourceful cyber risk teams still in the position of expending serious effort and money without gaining traction on the problem?
With today’s corporate challenges — competing priorities, speed of technology change, work-from-home models, revenue challenges and expense cutting, among others — it is easy to fall into the comfort of a capability-maturity type of approach regarding cyber security. More controls are demanded each year but is risk being reduced? Though it is believed that the answer is yes, few companies can quantify the results. Regrettably, the demands often overload cyber teams to the point that full execution of risk mitigation is never quite achieved and technology and innovation projects that would enable business growth are slowed down or never started.
Viewing the issue solely as an IT security problem limits the tactics that could, and should, be implemented. Consequently, roles and responsibilities are inappropriately defined, and reward systems miss the mark. Efforts get caught in silos, such as business units, information security and internal audit. Skill gaps go unidentified. And worst, the company’s overall business objectives and risk strategies go unsupported.
Enduring Solutions
With cyber criminals already eyeing their business, the prudent chief executive must understand that achieving meaningful progress cannot be attained without a shift in thinking from ‘cyber risk’ to the company’s broader risk environment. The handling of cyber risk must be captured within the company’s total risk strategy and security response must be risk-based. Cyber security should be a critical part of the solution, but is not necessarily the whole solution. IT, cyber security, risk management, internal audit and the business units must work hand in hand to secure the company.
The 3LoD model can be an excellent foundation for risk management if applied properly. Born out of the 2008 financial crisis, 3LoD provides a standardised strategic model for managing operational risk (including cyber). The model includes people, process and technology and helps to clarify roles and reduce the resources required.
Where 3LoD has gone wrong is in its treatment as a rigid organisational construct rather than a framework through which roles can be defined, authorities assigned and collaboration created, all aimed at better risk management. The expertise of individual groups must be respected but a group’s defence of its turf cannot be condoned.
Accordingly, the board of directors and executive management should take the following actions to put the company’s risk management (and cyber protection) on solid ground. This proactive approach to understanding risks and intelligently preparing for them does require an upfront investment of time and effort, but also brings substantial rewards.
First, enable and empower the chief risk officer (CRO) to take enterprise-wide ownership and accountability for cyber risk management. As head of the independent second LoD ERM function, the CRO is in a unique position to bring all areas of the company together to partner and collaborate on managing this biggest risk to the enterprise.
Second, establish the appetite and tolerance for cyber risk, realising that ‘take zero risks’ is neither reasonable nor achievable. The board and executive management must quantify what risks they can and cannot accept. When clearly disseminated throughout the organisation, this information provides a basis for cyber security strategic planning and decisions.
Third, clearly define, via risk management policies and standards, the roles, responsibilities, ownership and accountabilities for the business units, chief information security officer (CISO), ERM and internal audit. The CRO and CISO must partner on all matters related to cyber risk.
Fourth, establish a collaborative partnership model where the CISO (first LoD) and CRO (second LoD) work together on issues such as cyber risk policies and broad planning regarding cyber security strategy and architecture. This will require the CISO to become more aware of the enterprise risk picture and the CRO gains knowledge regarding the technical issues confronted in battling cyber risk. The details of this arrangement will, of course, depend on the specific characteristics of the company; regardless, roles and expectations should be well defined, using a tool such as a responsible, accountable, consulted and informed (RACI) chart. Considering the necessary sharing of information and resources, previously erected silos might need to be dismantled, potentially evolving into a matrix-style organisation.
Fifth, map all core and critical end-to-end business processes and understand the associated critical risks. By focusing resources on high-risk processes while rationalising or streamlining controls for moderate- to low-risk processes the overall cost of risk mitigation and controls is reduced. This allows the company to more quickly identify and remediate the root cause of each cyber risk event that may occur — everyone knows which processes are affected and how to keep the business up and running. The transparency from top to bottom enables a rapid transition from panic to control.
Sixth, evaluate and assess the cyber risk skills and expertise in each LoD and make the necessary changes to strengthen cyber risk management activities and oversight.
Finally, establish an ROI process to quantitatively evaluate and assess the risks and rewards of investments in staffing, automated tools (such as artificial intelligence), and controls that align with risk appetite and tolerances. The board and executive management should be asking, without any dollar limitation, what it will take to bring cyber risks within the agreed tolerances. This approach will allow for informed investment and risk reduction and acceptance decisions.
In Summary
Significant increases in spending to combat cyber risks have not slowed the number nor reduced the impact of attacks. Something different must be done: refocus from technology-only solutions to the management of business risk.
With this leap, companies can attain a better alignment between controls and corporate business and risk strategies, reduce the impact of attacks that may occur, and reduce overall costs by concentrating cyber controls on high-risk business processes and rationalising those in lower-risk business areas.
The cyber world moves quickly. The longer companies wait to redefine their risk approach, the farther behind they will fall.
The time to act is now.
