Harry Metcalf
As cyber attacks become ever more prevalent, sophisticated and damaging, Chief Risk Officers (CROs) are asking how can we strengthen security and readiness to respond?
The challenges are heightened by the speed at which the global cyber regulatory landscape is evolving and cyber compliance is moving up the agenda. The resulting questions for you as a CRO include:
The ‘right’ approach demands balance – setting cyber risk appetite that balances the organization’s value chain and strategic differentiators with necessary controls. It also requires a clear understanding of the cyber risks defined as business outcomes, so they can be clearly understood in the context of your overall business strategy.
Importantly, setting the risk appetite for cyber is about building consensus across the executive team and Board around clear business scenarios and what is tolerable.
Key questions include how much time would you allow business critical services to be down, if at all? What constitutes an ‘unacceptable’ level of financial loss, relative to your annual revenue or EBIT? Ensuring your risk appetite is defined in specific, objective and measurable terms will help your security team build a picture of the trade-offs that are required to meet these goals in terms of the investment in security controls.
The top-level risk dashboards and other reporting/executive statistics you receive need to clearly demonstrate the cyber risks in business terms and reflect the metrics that matter within your organization when it comes to measuring control effectiveness, the accountabilities to deliver against those controls and the understanding of any actions needed to maintain progress against your defined risk targets.
Cyber security assessments can often be laden with technical jargon, lack business context or be too generic to translate into meaningful targets and interventions. It’s therefore important that your organization can distil cyber security risk into an intelligible assessment that can be acted upon by the accountable executive(s).
There should be clear ‘lines of defence’ for cyber risk management, with ownership of the risks and operation of the associated controls being separated from risk management oversight and governance.
This is perhaps even more important for cyber security than in other areas of non-financial risk management, given the complexity of the threat landscape and diversity of the risks, which means that it isn’t always possible to objectively measure control effectiveness. Having a second line of defence to provide objective oversight and challenge on risk assessment and control effectiveness will help to ensure that executives are provided with the highest quality information on which to base business decisions.
At Berkeley, we have experience of helping CROs answer these questions through all stages of their cyber journey. We can help you to:
Discover the key cyber-related questions other members of your leadership team should consider
Strengthen your security and readiness to respond. Read more.
Allocate the right roles and responsibilities. Read more.
Ensuring your supply chain security. Read more.
Know the right questions to ask to cut through the jargon. Read more.
Ensure external stakeholders are satisfied. Read more.
Improve your ability to navigate the cyber landscape. Read more.
Create a culture of security across your organization. Read more.
Share: