Cyber risk management: leadership’s responsibility

Maeve Dion

Leaders are the chief risk managers of any organization. Decisions about new products, markets, suppliers, etc., come down to leadership’s priorities regarding risk.

Leadership holds topmost responsibility for cyber risk management.

Yet many leaders – while experts in their own domains – have little experience in articulating how their risk preferences should influence the organization’s use of technology.

This article helps situate cyber risk management as a leadership responsibility, no matter the leader’s cyber experience.

Definitions

Using the ISO 31000 standard, which defines “risk” as: “the effect of uncertainty on objectives,” we see that risk can result in positive effects (e.g., succeeding with an expansion into new markets) or negative effects (e.g., failing to build sufficient layers of guarantees in a new vendor contract). 

When we think about “cyber,” we often mean those technologies that:

• encompass information & network activities, control systems, and all future evolutions of science;
• enable our economic, governmental, and societal activities; and
• act as a conduit or facilitator of actions that can cause harm in our physical domain.

The “security” part of cybersecurity, which is included in cyber risk management,

• can be defined as a state of being free from danger or harm, and the actions taken to achieve that state;
• may be a component of the success or failure of our objectives (the existence of danger/harm may impact our ability to succeed or may increase the costs/resources to obtain our objectives); and
• is fundamental to our western democratic societies (an obligation of the government; and a condition precedent for the exercise of freedoms).

For cybersecurity, we need to think about how technology facilitates both threats and solutions to security, and about how security facilitates our societal evolution and our organizations’ successes.

Common usages of “management” include those processes, techniques, investment, and supervision/direction that prioritize and structure everyday activities with the goal of achieving desired outcomes.

Based on the above definitions and decades of work in this field, my working definition of “cyber risk management” is therefore: 

• The use of commitments, policy, tools, and practices that (a) keeps our technological systems, organizations, and societies free from danger or harm and (b) maximizes opportunities for achieving our objectives.

Starting questions

Leaders define and articulate what their priorities and tolerances are regarding cyber risk for their organizations. Bringing this down to the level of risk analysis for any important supply chain/service and focusing on the business impact, key cybersecurity questions to address may include:

Which technologies or services are more critical than others for the organization? (e.g., relating to payroll, communications, inventory, manufacturing, data management, etc.)

For each of these services/technologies: How long can the organization tolerate deterioration (lower quality or less speed) or an outage?

What are the options for backup/secondary providers, and what are the steps (and timeframes) required to make the switch or bring in replacements?

What are the costs (in time and money) for the above actions?

What are the costs for non-action?

What opportunities may be foregone due to these cybersecurity-related decisions?

The leadership approach: a system

There are various supports available to help with the risk analyses in answering the above questions (from consultants to self-help via standards, worksheets, and checklists).

A key takeaway is: Cyber risk management is an ongoing system. It’s not just having a policy or a plan. Or just answering these “starter” questions once and moving on.

Just like the management of any other kind of risk, leaders need to systematize cyber risk management within an organization. Given the potential negative business impact of poorly managed cyber risk, it is not sufficient to leave cybersecurity to the “IT Team” or to a mid-level employee who is not skilled in or aware of the leadership’s organizational risk tolerances or priorities.

Leadership manages cyber risk by asking these tough questions, working on the analyses, making sure that the resulting risk tolerances and priorities are clearly communicated and integrated into vendor contracts and in-house business activities, and then ensuring that ongoing governance/oversight, policies, and procedures help to maintain proper situational awareness regarding initiatives or relationships that may diverge from those risk tolerances and priorities.

There are layers of methodologies and techniques for cyber risk management, and this article touches only on a few fundamental points regarding leadership’s approach. The mindset is key: an organization’s leadership is responsible for all its risks, including cyber risks.

Prof. Maeve Dion founded and directs the Cybersecurity Policy & Risk Management master’s degree at the University of New Hampshire.