3 Boardroom Initiatives to See You Through the Cyber WinterCISO Marco Túlio Moraes on How to Guide the Cyber Agenda at Organizations
"Business and cyber leaders believe global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years."
– Global Cybersecurity Outlook 2023, World Economic Forum
In 2022, the World Economic Forum revealed a gap between security and business when it stated that 41% of business executives believed cyber resilience was an established priority in their organizations. Only 13% of cybersecurity executives agreed with this statement.
In practice, organizations have not been able to mitigate cyber risks adequately. The report presented by PwC in its 2023 Global Digital Trust Insights Survey shows that less than 40% of organizations have been able to properly mitigate their emerging cyber risks, such as remote and hybrid work, cloud adoption, and the launch of new products and services.
One of the possible causes is the need to involve the cyber department when planning a new business initiative. Only 19% of organizations do, according to the 2021 EY Global Information Security Survey.
To make matters worse, known vulnerabilities, meaning those the software provider is aware of, do not stop emerging. They reached more than 25,000 new vulnerabilities in 2022.
An unfixed vulnerability is a factor that can lead to a cybersecurity incident since criminals might explore it as a way to breach systems." An unfixed vulnerability is a factor that can lead to a cybersecurity incident since criminals might explore it as a way to breach systems.
On the other side, according to Statista, cybercrime has paid off. It's impact in 2022 was estimated to be $8 trillion, and it is expected to reach $23 trillion by 2027. Almost everything digital has value and seems to be traded at cybercrime marketplaces.
Indicators such as more than 2,800 cyberthreat groups mapped by Mandiant; less than two hours for a criminal group to be able to invade an environment, according to CrowdStrike's Global Threat Report 2021; and an average ransom payment of $570,000 in 2021, according to AAG, show the current cybercrime scenario.
On the business side, a gap of 3.4 million cybersecurity professionals, 287 days on average to identify and contain a data breach, and an average cyberattack cost of $4.35 million in 2022 demonstrate the challenge that companies have been facing.
Over 16,000 security incidents were reported in 2022, and 5,199 of them caused a security breach, according to the 2023 Data Breach Investigation Report.
The word "reported" is important, since 72% of organizations that experienced a data breach in the past year chose not to disclose it publicly.
Since new risks are not managed early on, the existing technical debt increases by external and internal factors, and organizations aren't managing emerging risks properly, what should we do to face this challenge?
The Boardroom's Strategic Role in Cybersecurity
"Cyber leaders remain, in general, weak at presenting the cybersecurity problem in terms that board-level executives can understand and act on."
Global Cybersecurity Outlook 2023, World Economic Forum
The first step is to understand that this is a boardroom matter, and it demands that directors be prepared to understand and discuss the cyber issue and strategically guide C-level executives on this complex topic. It requires cyber competence in the boardroom. How can the boardroom balance risk-reward options if it does not understand the cybersecurity component of the equation?
To guide management, board members must understand how organizational goals relate to cybersecurity and where and how cybersecurity enables or protects business values. They must discuss cyber with the same level of competence they have in discussing finance, operations or reputational risks.
As Bob Zukis writes in "The Boardrooms Leading America's Digital Transformation," in the digital economy value is created or destroyed through technology. Cybersecurity sustains reliable and resilient operations, provides trust to stakeholders, ensures compliance with regulations, and allows businesses to live in the digital world by protecting against digital threats (see: Cybersecurity, Board of Directors, and Strategy: Going Beyond Protecting the Business).
There are three components of the boardroom's role in cybersecurity.
1. Cyber Risk Assessment
Drive the business strategy considering cybersecurity also requires figuring out their risk profile and how the leading cyber risks could impact the organizational goals.
The organization might leverage a cyber risk assessment to map the primary cyber risks to the business. Each company has a different risk profile, whether due to business models, type of market, size, complexity and momentum.
A cyber risk assessment can introduce a cyber risk profile with cyberthreats that are to the core business assets, the inherent risks, current controls in place, cyber issues, and how all of these affect the different lines of business.
Ideally, it presents, in quantitative financial terms, the total loss exposure for the cyber risk portfolio. Knowing where you stand can help you to understand the size of the issue and to help drive the strategy. The healthcare industry, for instance, has a risk portfolio with an average loss exposure of $5.5 million, given a probable annual likelihood of 9% and an average loss of $40 million. Is this something your organization can accept?
2. Cyber Risk Appetite
When you finally can see the big picture, you should define organizational priorities and discuss risk appetite and tolerance, given constraints such as budget, people, time and other enterprise risks and resource limitations. The risk appetite and tolerances drive which cyber risks can be accepted and which can be mitigated, avoided or transferred. It helps define the level of risk the organization can manage. Perhaps you can be a risk taker in a cyber risk scenario with a chance of losing market share and, hopefully, more conservative on accepting risk cases that may bring safety risks to people.
Designing a cyber risk appetite, whether it is a formal statement or not, helps you evaluate whether to delay a new product, hold a business initiative, deprioritize other relevant risks, redirect resources to support a cyber risk strategy, or whatever other tough business decision needs to be made.
3. Strategic Cybersecurity Program
Once you have a clear view of the issue, management should establish an emergency plan considering urgent actions to be taken. There may be quick wins that can reduce risk exposure. This plan might include a process for managing crises arising from cyberattacks that can, unfortunately, happen at any moment during the journey.
With all relevant components ready, such as the cyber risk profile and portfolio of risks, business strategies and goals, resource constraints defined, and the cyber risk appetite, you can discuss the strategic cybersecurity program. It will define the initiatives to manage cyber risks, which include the necessary investment, the responsibilities of the areas during and after implementation of the program, and the expected results after implementation, whether measured by the reduction of existing risks, greater operational efficiency or business viability.
Consider how the organization will govern and oversee the strategic cybersecurity program implementation and its products as the cyber risk management organizational capabilities.
"Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection. Boards should then make themselves accountable for these priorities."
– Global Cybersecurity Outlook 2023, World Economic Forum
Cybersecurity is a journey of implementing technologies but also of education, cultural change and reclassification of roles and responsibilities for everyone in the organization, including the boardroom, which needs to guide and oversee the cyber agenda.
The cyberthreat scenario is challenging. But if the board of directors assumes its role, companies may survive the cyber winter. Let's see.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Marco Túlio Moraes has over 20 years of experience in technology and cybersecurity and experience in the financial market and in native digital companies, such as startups and fintechs. He has led strategic programs at Fortune 500 companies, such as Red Ventures, Experian, MUFG, and AES, where he developed one of the first cybersecurity programs in Brazil. He was recognized in 2019, 2020 and 2021 by different international organizations as one of the top security executives and was one of the top 50 chief security officers recognized by the IDG.