8 Realities in Managing Cyber Risk

Thoughts on Increasing Cyber Resiliency

Companies’ adoption of new technologies is outpacing their ability to protect against evolving cybersecurity threats. It used to be said that it’s not a question of IF an organization will be breached, but WHEN. Jim DeLoach suggests that companies either know they’ve been breached or they’ve been breached and don’t know it. How then, do we move forward?

Without question, senior executives and their boards remain concerned with the security and availability of information systems and protection of confidential, sensitive data from the commercial cyber war in which their organizations are engaged. However, too many think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board and senior management engagement with cybersecurity.

A top-five risk for many organizations across many industries,[1] cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud computing adoption, increasing digitalization investments, advancing data and analytics sophistication and expanding mobile device usage to leverage exponential increases in computing power, all to achieve and sustain competitive advantage. As these innovative transformation initiatives grow the digital footprint constantly, they outpace the security protections companies have in place. This dilemma presents several sobering realities:

• Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing and getting close to secure is elusive.
• The question is no longer whether the organization has been breached. Companies today fall into two groups – those that know they have been breached and those that have been breached but don’t know about it. (More on this point below.)
• Security and privacy internal control structures that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize.
• To top it off, resources are needed to innovate to remain competitive. Companies cannot afford for cyber to dominate the IT budget and stifle innovation.

Needless to say, the picture is not a pretty one.

Key Considerations

Protiviti’s research indicates that board and senior management engagement in information security matters is improving.[2] In the spirit of further improvement, the following are eight business realities these leaders and the executives who support them should consider as they oversee and manage cybersecurity risk:

1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening, it’s also about handling the upside should the company’s digital initiatives work better than management ever could have imagined. As companies harvest new sources of value through digitalization and business-model innovation, more progress is needed to mature the performance of security and privacy capabilities across the enterprise. The wise course is to plan for incredible success through a hyperscalable business model that is resilient enough to accommodate rapid growth.

2. It is highly probable the company is already breached and doesn’t know it yet. The once-common adage, “It’s not a matter of if a cyber risk event might occur, but more a matter of when” is old, dated thinking. It’s happening – now. For the majority of companies, cyber risk events have already occurred and continue to take place, yet many companies do not have the advanced detection and response capabilities they need. And if that were not already enough, the proliferation of data privacy regulations around the globe – the European Union’s General Data Protection Regulation, for example – is raising the stakes. Publicity about data breaches affecting politicians, governmental agencies, global financial institutions, major retailers and other high-profile companies, along with the growing presence of state-sponsored cyber terrorism, is presenting an attention-grabbing landscape. As a result, directors and executives alike are recognizing the need for cyber resiliency to preserve their organizations’ reputation and brand image.

Boards should be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators and the significant impact of a breach. Simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and respond in a timely manner. In addition, an organization’s preparedness to reduce the impact and proliferation of an event is key. Accordingly, boards should focus on the adequacy of the company’s playbook outlining the actions in place to respond, recover and resume normal business operations after an incident has occurred, including responses to customers and employees to minimize reputation damage that could occur in the wake of a breach.

3. The focus needs to be on adverse business outcomes that must be managed. Most businesses know what their critical data assets and information systems – the so-called crown jewels – are; however, they forget to focus on the business outcomes they are looking to manage when they assess security risks. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than steps taken based on a narrower focus on specific assets and systems.

To illustrate, once an application is deemed key, it is typically considered in scope and managed. If the risk pertains to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter and may even be a greater risk. Users have access to data, regularly download it and may even email it, either ignoring or forgetting the business imperative to protect it.

Therefore, controls over what happens to critical data assets once they are downloaded cannot be ignored. They won’t be if user leakage is an integral part of the adverse outcomes to be managed. That’s why boards and executives should insist that IT leaders assess information security risks holistically, focusing on strategies to manage adverse business outcomes rather than attempt to throw money at addressing every technical weakness. A holistic view will encompass both the technology and people perimeters.

4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cyber environment change incessantly, protection measures must evolve to remain ahead of the threat profile. While recurring assessments are important, they should not be relied on as the sole means to identify new threats to be managed. Boards and executives should inquire as to how the organization’s existing threat management program proactively identifies and responds to new and emerging cyberthreats, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model and its visibility as a potential target. Directors should also insist on an assessment of the related cyber risks resulting from major systems changes; it is always less expensive to build security into the systems design early, rather than retrofit it later.

5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of cyber opponents, waiting and ready with an arsenal of technology, people, processes and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short time and again when combating the onslaught of ever-changing threats that surround businesses today. Security functions need to change the way they deliver protective services and move way beyond initiatives to create enterprisewide cyber awareness. Accordingly, boards and senior management should expect:

• A clear articulation of the current cyber risks facing the business (not just IT)
• A summary of recent cyber incidents, how they were handled and lessons learned
• A short-term and long-term roadmap outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress
• Meaningful metrics that provide supporting key performance and risk indicators as to how the top priority cyber risks are being managed today.

For those organizations facing significant gaps between the current state and the target state in their capabilities for managing security risks, a cybersecurity program office is an emerging practice for managing large security projects successfully, with a focus on aligning technology, people and processes with the enterprise’s key risks.

6. Cybersecurity must reach beyond the four walls. As companies look upstream to vendors and suppliers (including second tier and third tier) and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors and executives should foster collaboration with third parties to address cyber risk in a cost-effective manner across the value chain when assessing insider risk, because electronic connectivity obfuscates the notion of who constitutes an “insider.” As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber attackers.[3]

7. Cyber cannot dominate the IT budget. No doubt, boards and senior management should ensure that cybersecurity is appropriately addressed and sufficiently resourced. But, as pointed out earlier, they should not allow cyber initiatives to stifle innovation. Over the past decade, IT departments have been reducing operations and maintenance costs consistently and using most savings to fund other priorities, including, most notably, security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets free for innovation.[4]

Within a strained budgetary environment, it is critical for IT leaders to focus on first protecting what’s important (the “crown jewels”), keeping up with the cyberthreat landscape to identify the kind of attacks that are most likely to occur and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity, while vital, will continue to consume ever-larger portions of the IT budget. As a result, innovation will suffer and the business could ultimately fail – not because a cyberthreat is realized, but because the disproportionate and unfocused spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and/or innovators.

8. Directors and executives should gauge their confidence in the advice they’re getting. While there is no one-size-fits-all approach, boards and senior management should periodically assess the sufficiency of the expertise to which they have access to advise them on cybersecurity matters. For boards, there may be circumstances in which they should strongly consider adding individuals with technology experience either as members of or advisers to the board, especially when the board’s agenda is crowded. For executive management, they may find value in a fresh perspective from an outsider.

Cybersecurity is likely to remain center stage as a top risk for a long time as companies increase their reliance on new technologies in executing their global strategies. Given the realities of managing cyber risks, as discussed above, it is important to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances and prepare for the inevitable incidents.

Questions for Boards and Executive Management

The following are suggested questions that boards of directors and senior managers may consider in the context of the nature of the entity’s risks inherent in its operations:

• Are we sufficiently engaged in our oversight of cybersecurity? For example:
  • Is there someone on the board or advising the board who is the focal point for this topic?
  • Is executive management satisfied with the advice it is getting?
  • Do we include cyber as a core organizational risk requiring appropriate updates in board and executive team meetings?
  • Are the company’s strategies for reducing the risk of security incidents to an acceptable level proportionate and targeted?
  • Do the board and executive team receive key metrics or reporting that present the current state of the security program in an objective manner?
• Have we identified the most important business outcomes (both unanticipated successes of digital initiatives as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
  • Do we know whether and how they’re being managed?
  • Does our security strategy differentiate these important outcomes from general cybersecurity?
  • Do we assess our threat landscape and tolerance for these matters periodically? Are we proactive in identifying and responding to new cyberthreats?
• Does the company have an incident response plan? If so:
  • Have key stakeholders supported the development of the plan appropriate to the organization’s scale, culture, applicable regulatory obligations[5] and business objectives?
  • Have we thought about the impact specific cyber events can have and whether management’s response plan is properly oriented and sufficiently supported?
  • Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Has the executive team approved the plan? Do all the stakeholders to a planned response know their respective roles and responsibilities? Is it clear in which events the board should play a key role in overseeing the response efforts?
  • Are effective incident response processes in place to reduce the occurrence, proliferation and impact of a security breach?
  • Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
  • In the event of significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?

[1] Executive Perspectives on Top Risks for 2018, Protiviti and North Carolina State University’s ERM Initiative, available at www.protiviti.com/US-en/insights/protiviti-top-risks-survey.

[2] Managing the Crown Jewels and Other Critical Data, Protiviti, 2017, available at www.protiviti.com/US-en/insights/it-security-survey.

[3] Managing the Crown Jewels and Other Critical Data.

[4] From Cloud, Mobile, IoT and Analytics to Digitization and Cybersecurity: Benchmarking Priorities for Today’s Technology Leaders, Protiviti, 2016, available at www.protiviti.com/sites/default/files/united_states/insights/annual-technology-trends-and-benchmark-study-2016-protiviti.pdf.

[5] For example, the Gramm-Leach-Bliley Act for financial institutions and HIPAA for health information in the United States, and PCI security standards for payment systems.