How CROs can get on top of cyber risks

As cyber attacks become ever more prevalent, sophisticated and damaging, Chief Risk Officers (CROs) are asking how can we strengthen security and readiness to respond?

The challenges are heightened by the speed at which the global cyber regulatory landscape is evolving and cyber compliance is moving up the agenda. The resulting questions for you as a CRO include: 

1How do we set a viable cyber risk appetite and ensure it is being applied organization-wide?

The ‘right’ approach demands balance – setting cyber risk appetite that balances the organization’s value chain and strategic differentiators with necessary controls. It also requires a clear understanding of the cyber risks defined as business outcomes, so they can be clearly understood in the context of your overall business strategy.

Key questions include how much time would you allow business critical services to be down, if at all? What constitutes an ‘unacceptable’ level of financial loss, relative to your annual revenue or EBIT? Ensuring your risk appetite is defined in specific, objective and measurable terms will help your security team build a picture of the trade-offs that are required to meet these goals in terms of the investment in security controls. 

2Am I receiving the ongoing reports needed to understand key cyber risks and assess how they are being managed and mitigated? 

The top-level risk dashboards and other reporting/executive statistics you receive need to clearly demonstrate the cyber risks in business terms and reflect the metrics that matter within your organization when it comes to measuring control effectiveness, the accountabilities to deliver against those controls and the understanding of any actions needed to maintain progress against your defined risk targets.

Cyber security assessments can often be laden with technical jargon, lack business context or be too generic to translate into meaningful targets and interventions. It’s therefore important that your organization can distil cyber security risk into an intelligible assessment that can be acted upon by the accountable executive(s). 

3Do we have the right cyber security operating model with clear responsibilities between risk ownership, management, and oversight of the risk management process?

There should be clear ‘lines of defence’ for cyber risk management, with ownership of the risks and operation of the associated controls being separated from risk management oversight and governance.  

This is perhaps even more important for cyber security than in other areas of non-financial risk management, given the complexity of the threat landscape and diversity of the risks, which means that it isn’t always possible to objectively measure control effectiveness. Having a second line of defence to provide objective oversight and challenge on risk assessment and control effectiveness will help to ensure that executives are provided with the highest quality information on which to base business decisions. 

How Berkeley can help

At Berkeley, we have experience of helping CROs answer these questions through all stages of their cyber journey. We can help you to:

• Define your cyber strategy to set clear goals and ensure alignment with business strategy 
• Deliver your cyber transformation program
• Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
• Deliver specific projects in your cyber portfolio that you may be struggling with
• Rebuild and strengthen your cyber capabilities post cyber-attack
• Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews 
• Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.