“Cyber” is not an appropriate category of risk. Often cited in 10-K reports, discussed by board directors and C-suite executives, and referenced by Enterprise Risk Management (ERM) or Governance, Risk and Compliance (GRC) professionals, the category merely perpetuates ambiguity and lack of understanding related to all things “cyber.” Because of this (and other reasons, of course), efforts to address cyber-related risks are oftentimes unfocused, ineffective, or underfunded. That’s because “cyber” is an environment for business activity and a vector for introducing potential harm. But it’s not an effect to the business. Risks are often defined as causes (e.g., “geopolitical instability,” “terrorism,” and “currency fluctuation”) and sometimes as effects (e.g., “production delays,” “higher material costs,” and “reputational damage”). In some cases, risks may be defined as a vague combination of both (such as “supply chain disruption”). But if the effects are not clearly understood—either explicitly or implicitly—those responsible for overseeing, funding and implementing mitigations will remain unclear about what exactly they’re trying to mitigate and thus ineffective in doing so. One of the main problems with vague categorization is that it perpetuates the tendency to view “cyber” as a technology problem looking for a technology solution, not as an enterprise risk problem in need of an enterprise-wide response. Addressing cyber risk requires a holistic approach that integrates policy, governance, operations, information technology and human behaviors. But that requires cohesion at the top; in many cases, the senior-most leaders of an organization do not understand the cyber realm well enough to develop and implement strategy. In turn, this silo view of all things cyber perpetuates the tendency to bucket-funding within the IT budget, with an ensuing struggle for resources between business-enabling operations (always more interesting to business leaders) and the inconvenient necessities of security and compliance. It also falls too easily into a problem for the relatively few to address. Having dutifully commissioned the CISO or VP of Compliance or similar person to take care of the “cyber” problem, directors and executives responsible for the enterprise can go back to more compelling topics of performance, growth, and so on. And because so much of cybersecurity is linked to human behavior, effective risk mitigation often falls short due to lack of leadership involvement. Leaders who are best positioned to change organizational culture, and thus the human behavior driven by it, are often not focused on making their most important contribution to security. After all, they might reason, “cyber” risks have been properly noted in enterprise risk assessments, they have appointed leaders to drive cybersecurity improvements, and they have allocated IT budget for such matters. So, it falls upon ERM, GRC and security professionals (including those of the “cyber” variety) to more clearly articulate the risks they identify in the cyber realm. This begins with using language and numbers that reflect the impact of cyber threats to the value chain of the business. A compromised Supervisory Control and Data Acquisition (SCADA) system in the manufacturing plant can lead to production delays, loss of revenue, and so on. Loss of sensitive customer data can lead to reputational damage and fines. Compromised intellectual property can result in market share loss to competitors not burdened by the costs of development. These are effects beyond those of failed audits since compliance is merely a necessary, but not sufficient, condition of enterprise security. Often, risks are identified as causes first and then mapped to effects. Perhaps the effects can be identified first, then the various causes can be mapped to them. For example, a stoppage of the manufacturing process can be caused by cyber, extreme weather, criminals, and terrorist actors. By securing the facility against the spectrum of physical and virtual threats, associated risks to the business—production delays, loss of market share, reputational harm, etc.—can be mitigated holistically. By protecting intellectual property against the spectrum of external and insider threats, as well as inadvertent data compromise or loss, these risks can be addressed as various aspects of the same challenge. Assuming threats and vulnerabilities, and working to mitigate them, is a more realistic way to think about cybersecurity in an age of persistent threats, continuously emerging vulnerabilities and the inevitability of compromise. And if risks are viewed holistically based on their effects, the funding for cyber-related mitigations are more likely to be integrated throughout the various cost centers that ultimately need to own their mitigations. Rather than shifting costs to IT and then expecting IT to take care of cyber-related risks (while placing ever-increasing demands on IT in general), business owners can carry their share of the burden and collaborate with the CISO to reduce risk. This is generally how financial or legal matters are governed in an organization. Business leaders do not offload the mitigation of financial risks to the CFO or legal risks to the General Counsel, but they work closely with them and call upon them for their domain expertise. All of this is only possible if non-technical leaders develop a more mature understanding of the cyber realm and the various risks associated with it. As they already have in the financial, legal, and operational realms, when they begin to lead in cyber, leveraging the expertise of cybersecurity professionals without yielding their own responsibilities, they will drive the holistic approach to risk mitigation necessary to survive and thrive. And by leading, they will drive organizational culture toward better cybersecurity. This can happen as soon as “cyber” shifts from being a vague risk category in the 10-K report to an essential component of the business—delivering benefits and risks—one that's managed by business leaders who understand their effects.
