Cyber is simple - it's just business risk

As the volume, velocity and voracity of cyber attacks increases on a near-exponential scale, it's clear that every modern business needs to in some way consider cyber security as part of the successful conduct of the business. The problem facing so many contemporary organisations is where and how to give that due consideration. I believe that this is due to the technical aspects of cyber; "It's a 1s and 0s thing, therefore the techies in IT can handle it". But the problem is that cyber is not a 1s and 0s challenge facing a modern business; cyber security is quite simply a risk issue for any organisation that uses digital technology in any way in the conduct of trading (ie: the vast majority of businesses in existence today). It almost sounds too easy, right? Cyber is just yet another risk for any organisation to deal with in the pursuit of success. This then makes it very easy to figure out that cyber isn't an issue for middle-management, or the IT team.

Cyber is an issue for the executive leadership of the organisation.

Executive leadership of any organisation can take many different forms, but many if not most organisations have some sort of executive "board" which is comprised of the senior cross-disciplinary experts in their field, so for the purposes of the rest of this thesis, we'll refer to this executive leadership team as "the board".

And again, many people like to see the role of the board as an overly complex set of activities, but really it's quite simple. The role of the board in any organisation is to:

• maximise the profits of the organisation;
• manage the risk to the organisation, and;
• do so while following the statutory and criminal laws in the land(s) where they trade.

Boards are used to dealing with all sorts of risk -- they do it every day. The list of risks facing a company is long, and includes areas like financial, commercial, market, competition/substitution, regulation, geopolitical, workforce, brand, etc. All areas of potential risk for any given board to navigate their way through in the pursuit of success. I'd argue that cyber is no different; it is just another risk to add into the list of external or internal factors that could negatively impact the success of the business.

I often hear the challenge: "But cyber is technical; a board of senior people couldn't possibly understand the complexity and nuance of the technology enough to manage that risk sensibly". But I think in this context, that is a strange approach. Would a board say the same thing about financial risks, or market risks? What board says "the finances of the business are too complex to understand, so we will either ignore it or let middle-managers handle it"? I'd argue none do, and if they do, they aren't going to be in business very long. But yet this is the argument we hear about cyber all too often.

I believe the difference stems from the fact that boards are comfortable talking about those other risks because those non-cyber risks have been facing boards for millennia, and as such are known quantities. But cyber is relatively new into the foray and thus is less well-known and understood, and so many boards struggle to find a compelling way to understand, qualify, and most importantly manage that risk. When we at Red Maple talk to executive boards about cyber, whether that board is mature in their cyber thinking or not, we use a very simple formula as a means of understanding that risk:

Now, don't go trying to put numbers in there -- it won't yield a numeric quantity as an output (nor should it -- risk is more organic than that and shouldn't be relegated to a number on a spreadsheet). This formula is nothing more than a framework to build board-level understanding of cyber. To give some detail on each variable in that equation:

• Threat is the existential threat to your business caused by cyber actors inside or outside your business. Again, many people struggle to understand threat, but we have a simple formula for that too: threat = capability + intent. The challenge is that very powerful malicious tools are becoming all too available to those nefarious souls who know how to look for them. So the capability variable can be quite high. Which leads to the second variable: intention. There are many reasons why a malicious actor might be interested in harming your company, but sometimes it's the complete lack of motive that is the hardest to understand and see coming -- those malicious actors who are in it just for the sport of it. So unfortunately, intent can be quite high as well. The bottom line is that most modern business will be facing some level of cyber threat on a day-to-day basis.
• Vulnerability is simply how open to attack your business' systems are to external or internal malicious cyber activity. You will often hear cyber professionals talk about a firm's "attack surface"; this is just jargon for the sum total of all of the various cyber vulnerabilities your organisation has across its systems. Understanding your business' aggregate vulnerability can be a bit of a challenge, but luckily there is guidance available on how to characterise and qualify your aggregate vulnerability. I'll write a separate article about vulnerability management in the coming weeks; watch this space.
• Impact is simply the detrimental effect that a cyber event would have on your business. This impact is likely to vary depending on the system specifically in question, which is why it is important for a business to understand the assets in their business (ie: the things the business uses to generate wealth). In that asset list will be some that are more critical to the successful conduct of the business than others; these are the "critical assets" in the business, and the ones that will need more attention to protect and defend from cyber threats.

Like I said; it's not a numeric calculus, but the concept of risk = threat + vulnerability + impact is a useful way for board-level executives to get their head around cyber risk.

While I think it's important to understand and qualify cyber risk, I'm not in any way advocating avoiding risk altogether. As with anything else, there is money to be made in taking calculated and informed risks; which is why businesses exist in the first place. Cyber is no different; the magic is in knowing how to perform the cyber risk calculus with a degree of certainty. In this, one of the critical pieces of the jigsaw is for a board to understand their risk appetite; how much risk they are comfortable carrying to trade successfully and not incurring unnecessary cost. As with any risk/reward calculation, though, it's certainly possible to get that calculus wrong and end up on the other end of a costly recovery.

And that leads me to my final point: while understanding cyber risk can lead to systems, policies and procedures to prevent attacks and protect the business from cyber threat, there is no such thing as a 100% solution. So don't put all of your eggs in your "prevention" and "detection" basket; make sure you have a plan to deal with a cyber event when it does get through your defences. More on this another day.

If you are a company who could do with some help understanding, qualifying and managing your cyber risks, please get in touch:

www.redmaple.tech | [email protected] | +44 (0)7583003103