Another group of organizations with decades — if not centuries — of combined cybersecurity experience has promulgated a simple, straightforward set of actionable cybersecurity best practices for financial services companies to follow.
Does the industry need another cybersecurity checklist? A checklist organizes the things an organization should — or must — do. This checklist starts with a strong emphasis on risk, especially for the Board’s role in overseeing cybersecurity. A Board will need significant additional guidance and expertise to answer the questions the checklist asks.
The most important element of the checklist for the Board is the second question:
Has your organization quantified its cyber exposures and tested its financial resilience?
That item — one line in twelve pages — tries to contain the entire exercise of risk quantification, too big a job to be disposed of in a single line. With some explanation and unpacking, this one item solves the puzzle of how to communicate risk so that the cybersecurity program can address value at risk and measure return on cybersecurity investment. Once that’s done, the route to the elusive goal of have a whole-of-organization approach to cybersecurity is clear.
Let’s do a little unpacking to make this clear. The first part of the question above asks whether the organization has quantified it cyber exposure. In order to do that properly, an organization must establish a quantitative measurement of the impact of a cyber incident. The way businesses quantify the cost of an incident is by asking how much money the organization will have to pay in the event it happens. The answer to that question is a range — in fact a distribution — rather than an exact amount and that range is different for different types of loss of control — loss of confidentiality versus of availability — and for losses of different types — lost sales versus reputational damage. All of those questions have to be answered for each of the information assets, network systems, or other inventoried information systems elements in a consistent way. And that’s only the first half of that question.
Other elements of the checklist also flatten the work a Board must do so why highlight how thin the risk assessment requirement is? To illustrate, take another checklist requirement for the Board: hire a properly qualified CISO and make sure that person has access to the necessary resources and regularly reports to the Board. This requirement is similarly complicated but it implicates a set of management tools that the Board already has at its disposal: Boards generally understand how to develop a job description, hire a qualified candidate, and make the necessary management changes to establish the correct the reporting relationships and access to resources. A checklist item of this type is sufficient. For cybersecurity risk management, a single line is not.
Boards can get help with this requirement. Consulting firms can provide the necessary guidance, guide the development of a framework to organize the collection of information necessary to quantify risk, and provide a report that benchmarks the risk against the Board’s pre-defined risk appetite. Moving to higher levels of maturity will involve making recommendations for how to cost-effectively reduce the risk, managing those projects, assessing other sources of risk such as supply chain, and then repeating the assessment to see risk in trends rather than merely as a snapshot. Depending on the maturity of the Board and the rest of the organization, a cybersecurity risk assessment can rely on SaaS tools but these require a sophisticated understanding of risk management and some understanding of how that discipline interacts with cybersecurity.
Foresight Resilience Strategies is here to help! Drop us a line and let’s talk about how to fulfill this cybersecurity checklist item so you can solve the puzzle around quantifying cybersecurity risk.