Cyber Risk Oversight

Asking the Right Questions in Boardrooms

India's digital transformation is undeniable, with businesses serving as the engine driving progress. However, this growth narrative comes with a crucial caveat: cybersecurity. As we solidify our position as a global economic powerhouse, our cyber landscape becomes an increasingly attractive target for malicious actors.

The board's expanding mandate: cybersecurity governance

The government and regulators are acutely aware of the cyber threats, translating into a stricter regulatory environment. The Digital Personal Data Protection Act (DPDP) of 2023 is one such regulation that holds businesses and their leaders directly accountable for safeguarding sensitive data. Failing to implement adequate cybersecurity measures can lead to crippling consequences, with fines reaching a staggering 250 crore.

These developments squarely place the onus of cyber risk management on the shoulders of the board and key stakeholders. But here's the challenge: traditionally, boards haven't delved deeply into the technical intricacies of cybersecurity. So, how can they effectively oversee cyber risk management and be held liable for its outcomes without becoming cybersecurity experts? The answer lies in a shift in perspective and returning to the first principles of business. The board's expertise lies in risk management, not in the technicalities of firewalls and encryption – they should retain their positions as risk management experts and play to their strengths.

The current challenges for the board

The Board's primary role is to ensure that shareholder value is protected and that the business continues to grow safely. However, today's focus while reporting cybersecurity strategies, outcomes, and expectations often prioritises 'compliance reports' and 'box-ticking exercises' over a true communication of risk. This overabundance of less-than-critical data can actually distract boards from identifying and prioritizing the most critical cybersecurity threats to their organisation.

The problem is two-fold:

1. Information gap: Often, boards lack the right contextual data to make informed decisions regarding cybersecurity strategy and investment. The information presented may not be tailored to their needs or lack the business context to translate cyber threats into actionable insights.

2. Data challenges: Even when information is available, it may be outdated, siloed within different departments, or presented in a difficult way to understand or analyse. This lack of usable data makes it challenging for boards to assess true cyber risk and hinders their ability to demonstrate a robust cybersecurity posture to regulators.

The fundamental understanding of cyber risk management needs to evolve. Today, “risk” is not at the core of cybersecurity, and that needs to change.

The board's expertise lies in risk management, not in the technicalities of firewalls and encryption – they should retain their positions as risk management experts and play to their strengths.

Questions all boards should ask their CISOs

To facilitate risk-driven communication, I urge board members and key stakeholders to encourage cyber risk analysis and reporting that places cybersecurity insights in the right context: the financial impact of the identified and potential cybersecurity gaps, along with the likelihood of the risks leading to successful cyber-attacks.

A few questions that the board can initiate to drive this culture of risk-first cybersecurity include:

1. The risk question: What are our organisation's top cybersecurity risks, and how much could they potentially cost our business? 2. The landscape question: How does our cybersecurity posture compare to our peers and competitors? 3. The trade-off question: How confident are we of the effectiveness of our cybersecurity measures against known and emerging risks? 4. The topical question is: What visibility do we have over third-party cyber risks, and how are we managing them? 5. The performance question: Are we appropriately allocating resources? Are we spending enough? Or, Why are we spending so much? How to answer the questions with confidence Transforming how cyber risk is managed starts with changing how it is assessed and measured. A defensible cyber risk management practice is founded upon quantifying cyber risk, and the FAIRTM Institute is the global authority on standardizing how cyber risk should be quantified.

THE FAIR^TM MODEL

Factor Analysis of Information Risk (FAIR^TM) is the only international standard quantitative model for information security and operational and operational risk.

Answering tough questions requires CISOs to adopt Cyber Risk Quantification and Management (CRQM) as a fundamental principle of cyber risk management. Here's how CRQM can help you answer the questions:

The risk question: What are our organisation's top cybersecurity risks, and how much could they potentially cost our business?

Current methods of risk categorization are ineffective. In fact, high-medium-low or red-amber-green scales are considered “worse than useless.” This is where cyber risk quantification can help contextualize cyber risks.

“Risk” is the likelihood of a threat event combined with its potential impact. A good example of applying cyber risk quantification to calculate the potential financial impact of a cyberattack can be demonstrated by the recent United Health breach in the USA. Their conservative estimate placed losses at $1.6 billion; however, an estimate by the FAIR approach places losses at least double that!

The landscape question: How does our cybersecurity posture compare to our peers and competitors?

Any cyber risk quantification and management solution must have a repository of acceptable industry benchmarks curated through extensive research of publicly available data.

This industry benchmarking enables the Board to visualize their business's cyber risk posture, place the agreed-upon cybersecurity risk appetite in a real-world context, and sanction investments to enhance risk resilience.

The trade-off question: How confident are we of the effectiveness of our cybersecurity measures against known and emerging risks?

Controls are how any business safeguards itself against known and unknown cyber risks. However, measuring their effectiveness in reducing risk likelihood is only possible with advanced CRQM platforms that leverage the FAIRTM framework's Controls Analytics Model (FAIRTM-CAM).

FAIRTM-CAM evaluates the control environment and suggests prioritized actionable insights to optimize the business's internal resilience strategy. The CISO can leverage these insights to communicate the trade-off between risk reduction and business interruption to the Board.

The topical question is: What visibility do we have over third-party cyber risks, and how are we managing them?

As third-party cyber risks become as integral as first-party cyber risks, extending the same principles to third-party risk management is important. Instead of audit-based compliance activities (questionnaires and outside-in assessments), the CISO or TPRM leader must communicate third-party cyber risks in dollars and cents using Cyber Risk Quantification. Mapping vendor risks based on data access, network access, and the resultant business interruption from ransomware, DDoS, etc, is a significant step towards risk-driven communication with the Board.

Cyber risk management can no longer remain a back-office activity - it is front and center of effective business risk management.

The performance question: Are we appropriately allocating resources? Are we spending enough? Or, why are we spending so much?

Cyber Risk Quantification and Management solutions enable the business to prioritize investments and resource allocation decisions by providing an ROI-based view of cybersecurity management. If the Board knows the dollar value at risk, they can also understand the cyber insurance coverage required to transfer your risk. Most companies end up over or under-purchasing insurance. The only way to understand the right coverage is to quantify cyber risk.

Making cyber risk management a whole-of-business activity

Cyber risk management can no longer remain a backoffice activity – it is front and center of effective business risk management. While the Board and CEO can be the decision-makers, the CISO has a crucial role in enabling the Board to make informed cybersecurity decisions. This is only possible if the business leverages the benefits of cyber risk quantification

The Data Security Council of India has pioneered a FAIRTM Chapter that educates and trains cybersecurity and risk experts to quantify cyber risk. I strongly recommend this certification to all risk leaders.