Managing a company means managing risk. It is thus inherent in the function of chief executive officers to understand the essentials of the nature of risks and how they are mitigated.
CEOs have long understood the essence of financial risks, market risks, disaster risks, theft risks. This understanding has allowed them to make sound decisions about how to avoid, mitigate, and recover from such risks. The details are left to experts, buy strategic choices are the domain of the CEO because the success of the company often hangs in the balance.
Potential damage from cyberattacks risks have now reached the threshold that can threaten the very existence of the company. The modern CEO, whose company depends on computers in any significant way, can no longer afford to relegate cybersecurity solely to the IT department. They must employ special cybersecurity knowledge in the C-suite and they themselves must understand the essence of the cybersecurity problem so they may make informed strategic choices.
Engineering Trustworthy Systems, McGraw-Hill (2018), asks and answers five important practical questions that deeply matter to forming sound strategies to mitigate cybersecurity risk.
What do you want? As with all other types of risk, there is no such thing is driving cybersecurity risk to zero. There is always some residual cybersecurity risk, and always a cost to drive the residual risk lower, with some point of diminishing returns.
Know that cybersecurity mitigation costs go beyond monetary costs and include potential impacts on time-to-market, functionality, performance, and usability. These hidden costs lead to decisions that are ill-informed. Ask questions about all potential impacts a cybersecurity solution may have on the business. Demand answers that speak to the company’s mission and bottom line.
The benefit of cybersecurity should be understood in terms of risk reduction over time. As with other risks, cybersecurity risks can be monetized by estimating the monetary harm that can come to the organization from a successful cyberattack, multiplied by the estimated likelihood of the attack happening. This is what actuaries do in other areas of risk and are beginning to do in cybersecurity. Until then, we have to make decisions based on best estimates.
Knowing the full cost of potential cybersecurity measures and estimating the harm caused by a cyberattack, how do decision-makers determine the most effective mitigation strategies? Should the company invest in better firewalls, malware detectors, an intrusion detection system, more training for the company’s employees so they do not fall victim to phishing attacks or make unauthorized backdoor connections to the network to “make things more efficient?” Assessing true costs and estimating potential harm, gives the tools needed to decide which of these will be most effective, in which combinations.
What could go wrong? How bad can bad get in terms of cyberattacks on your company? If you do not know, it is important that you find out, soon. If you speculate that the worst case is really not so bad that it could wipe out a quarter’s profit in an instant, you should think twice because this has already happened to hundreds of companies.
When you consider the potential destruction of value, consider the effect that a loss in faith in a company can have on stock prices. Billions of dollars can exit and have recently exited a company’s financials overnight as a result of a publicized, successful cyberattack. An independent cybersecurity audit, sometimes called a penetration test or a red team can be useful to provide input on how bad bad can get.
How much should you invest in cybersecurity? How do you make that determination? Most companies invest about 3 % of their IT expenditures on cybersecurity. Why 3 %? Most could not say, other than it is around what the company invested last year. The level of investment should be based on the risk the organization is willing to tolerate and the stakes involved in a cyberattack. This must be an explicit decision, not a default decision left to chance. Take charge.
How do you mitigate risk? There are many technical and nontechnical ways to mitigate risk. The first step is to understand how existing measures perform and how they may be improved. Many organizations find that significant risk comes from improperly configuring their existing technology or failing to enforce sound security policies. Often, a company can cut its risk in half by following basic procedures and properly configuring their existing technology. A good starting checklist is available from U.S. Cyber Consequences Unit, at www.usccu.us.
How do you stay secure? Like many other risks, cybersecurity is an ongoing concern, which needs to be refreshed and rethought at least annually. As IT systems are constantly updated, their configurations and network connections are being continuously expanded. Furthermore, attackers are becoming increasingly sophisticated and so the nature of the threat is constantly evolving. Cybersecurity, like financial health, should be assessed at least annually, if not quarterly.
Have you read?
Engineering Trustworthy Systems; Get Cybersecurity Design Right the First Time (McGraw-Hill, July 2018). by O. Sami Saydjari.