Focal Point Data Risk released the second annual Cyber Balance Sheet Report, a closely watched research study using in-depth surveys and interviews of corporate board members and CISOs to offer a rare window on the state of cyber risk management in the boardroom. The Report is independently produced by the Cyentia Institute, a cybersecurity research firm, co-founded by Dr. Wade Baker, widely known for creating the landmark Verizon Data Breach Investigations Report (DBIR).
This year’s report findings reveal a complex risk management sequel to the inaugural 2017 edition, which tracked cyber risk as an escalating oversight issue among boards. The 2018 report reveals that wider awareness of risks – including third-party data breaches, ransomware and geopolitical conflicts – spurs more security dialogue in the boardroom. However, C-Suite and security leaders struggle to frame risk in productive decision-making terms and keep an eye on whether companies are operating within their proper risk appetite.
“The more important issue uncovered by the research is that this surge of interest – while commendable –seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership,” said Andrew Cannata, Focal Point’s CISO and national Cyber Security Practice leader.
The Report organizes CISO and executive insights along seven key “balance points” that reveal key differences on issues, including how boards view cybersecurity as a unique risk or extension of other hazards, different metrics and reporting structures boards and CISOs use in briefings, varying approaches to identifying risk appetite and exposure and what board members say instills satisfaction and confidence in security programs.
Many organizations have not formally established a cyber risk appetite
Risk appetite is defined as the amount and type of risk an organization is willing to accept. It is the responsibility of boards and C-Level executives to weigh risk appetite against growth opportunities. Yet, less than half of participants could describe their risk appetite quantitatively, preferring terms like “very low,” instead. This makes it difficult to identify and track risk appetite over time as business and technology forces continually change operations.
More metrics can muddy what matters most
“Security incidents and losses,” “compliance status” and “security program maturity” are the top three most-reported metrics to the board. Surprisingly, “third-party and supply chain,” “risk appetite” and “external threat trends” were reported less frequently – despite their urgency for decision-making and frequency in data breach headlines.
Finding the magic “return on reporting”
The report objectively looks at reporting and conversation topics in the boardroom, using visualizations to chart their frequency of occurrence, versus depth of resulting dialogue and reported value. For example, “compliance” is one of the most reported on topics, but respondents give compliance particularly poor “return on reporting,” because it ultimately spurs little talk and value. Conversely, “security governance and resources” surfaces less frequently, though participants report more conversations and greater value around the topic.
“This latest report shines a light on remarkable progress and stakes surrounding how boards and security teams interface and support one another,” added Baker, the lead Cyber Balance Sheet Report researcher. “The data show cyber risk is still an emerging area for boards with more experience facing other existential threats. However, there is wider recognition that IT is a risk vector for everything that keeps leaders up at night, from regulatory issues and protecting trade secrets to reputational matters and avoiding lawsuits. The report shows we are crossing a key threshold where boards realize that requesting metrics and asking more security questions only helps to a point. The new premium is on each board, C-Suite and security team determining the most important issues for them to productively set their risk appetite course and navigate appropriately.”