Security By Design- Part 2

In my last post I asked the question: Do you know if your organization is Cyber Secure or Cyber Insecure?

In this post, I will be discussing with you Cyber Risk from the perspective of Business Risk.

Business Risk is the possibility that an event will eventually lead to a reduction in a company’s objectives, i.e. current or future economic profits. Pretty much every business today, from small “mom and pop” businesses, all the way up in size to massive global multinational businesses, has a significant to massive dependence upon their information technology-driven business operations. There is no avoiding the fact that Cyber Risk is a dominant risk category that every business faces.

Cyber Risk is one of the few risks which businesses face which have the potential to bring a business to a complete standstill!

Ask yourself this series of questions:

• Can your business survive a complete shutdown of business operations for 1 day?
• Can your business survive a complete shutdown of business operations for 7 days?
• Can your business survive a complete shutdown of business operations for 14 days?
• Can your business survive a complete shutdown of business operations for 21 days?
• Can your business survive a complete shutdown of business operations for 28 days?

Is this too hard to imagine?  Change the questions to something like this:

• Can your business survive a significant shutdown of business operations for 1 day?
• Can your business survive a significant shutdown of business operations for 7 days?
• Can your business survive a significant shutdown of business operations for 14 days?
• Can your business survive a significant shutdown of business operations for 21 days?
• Can your business survive a significant shutdown of business operations for 28 days?

I have asked this series of questions of business leaders and board members many times.  I have never received the following reply in response:

“We may be impacted for a few days but will be back up and running within 7 days with minimal business interruption and impact.”

Never!  Not once!  The response I normally receive from asking these questions takes one of two forms.  Either a denial that this could ever happen or a non-verbal response involving a lot of uncomfortable facial expressions and body language.

My purpose with these questions is to get your attention.

Cyber Risk is Business Risk

You do not have to take only my word for this fact:

The World Economic Forum reports Widespread Cybercrime and Cyber Insecurity as the top 10 global risks over the short and long term (two to ten years as reported in the WEF The Global Risk Report 2023 Insight Report).

The Allianz Risk Barometer 2023, another global industry risk reporting standard finds cyber incidents to be the #1 top risk that businesses face “reflecting the importance of today’s digital economy, the evolving threat from ransomware and extortion, as well as geopolitical rivalries and conflicts increasing being played out in cyberspace.  Cyber risk and business interruption (BI) are closely linked with cyber also ranking as the cause of BI (business interruption) companies fear most.” (Allianz Global Corporate & Specialty (AGCS) is a leading global corporate insurance carrier.)

It is my experience that most companies do not typically ignore risks to their business operations.  What I have experienced, though, is that most of the companies and leadership teams do not fully understand the cascading systemic risks which Cyber Risk and Cyber Insecurity present to their organizations.  Many companies address their risks with a Governance, Risk, and Compliance (GRC) approach and support staff, following sound risk assessment practices which result in an annual risk report.  GRC practices have matured in some organizations and are addressed via an Enterprise Risk Management (ERM) process, often still an annual risk assessment with associated risk reduction and abatement plans.  Further, I see more advanced and integrative risk management practices being utilized in an Integrated Risk Management (IRM) approach taking a Value Chain integrated business risk perspective more in line with an organization’s extended business operations across business units, support functions, extended supply chains, and customer value chains.

Best practices in Integrated Risk Management (IRM) involve developing a structured and disciplined approach that aligns business strategy, processes, technology use, and knowledge with the purpose of evaluating and managing uncertainties an organization and its value chain faces.  IRM categories of risk recognition involve business Strategic Risk, Operational Risk, Financial Risk, and Hazard Risk.

One of the emerging risk management models which takes a fully integrative approach to identifying risk from a corporate director’s and senior leader’s perspective can be found in the DIRECTOR™ and RISCX™ Models.   The DIRECTOR™ model identifies eight core domains of risk from a corporate director’s perspective that regulate the health and vitality of an organization’s digital ecosystem.   The RISCX™  model identifies five key causes of system risk within and across these domains.  (Digital Directors Network).

The eight domains of the DIRECTOR™ model are: Data, Information Architecture, Risk Communications, Emerging Technology, Cyber Security, Third Party, and Operations of IT risks.  The key causes of risk failures identified in the RISCX™ model allow an assessment of the systemic nature of a company’s risks from the perspectives of: cross-jurisdictional boundaries (legal, regulatory, geographic), replaceability (of processes, systems, technologies in the event of a disruption), inter-connectedness (of processes, systems, suppliers, customers), size and the overall complexity of organizations. Used together the DIRECTOR™ and RISCX™ model allow a fully integrative view of systemic business Cyber Risk to emerge and become visible.

The threats that Cyber Insecurity and systemic Business Interruption caused by Cybersecurity events can no longer be contained by any one company or organization.  Recognizing this (at long last) the United States Securities and Exchange Commission issued a press release on March 15, 2023:  The Securities and Exchange Commission today proposed requirements … to address cybersecurity risks.  Market Entities increasingly rely on information systems to perform their functions and provide their services and thus are targets for threat actors who may seek to disrupt their functions or gain access to the data stored on the information systems for financial gain. Cybersecurity risk also can be caused by the errors of employees, service providers, or business partners. The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.  (https://www.sec.gov/news/press-release/2023-52)

If your organization is a publicly-traded company in the United States, you will soon be required to report your Cyber Risk and Cyber Insecurity risk management policies, practices, and procedures as well as actually assessed risks to the SEC.  The insurance industry is already assessing this in determining what your Cybersecurity insurance premiums will be.

Cyber Disruption equals Business Interruption

If you are a senior Digital / Information Technology leader and you are asked the following question:

“How much security do we need?”

I would recommend that you change the question narrative to understand your organization’s tolerance for risk.  I would answer the above question with the following question:

“As a business, what can we/you live without?”

A business leader can not begin to understand why and how much to invest in Cybersecurity to reduce Cyber Insecurity unless they have been provided and understand a comprehensive view of the systemic cyber-driven business risks and the implicit business impact these risks can inflict on business operations today and tomorrow.

A quick test to determine if your Cybersecurity / Cyber Insecurity Risk Management practices are adequate, ask yourself the following question:

“When your Threat Intelligence tells you that a Risk Threshold has been reached, who do you tell and what action plan do you implement?

If your answer to any part of this question is “I do not know”, then you can be assured that your Cybersecurity / Cyber insecurity Risk Management practices are not adequate to help you protect your organization.

In my next post, I will provide visibility into risk categories and types, with an emphasis on Cyber Risks and their systemic interconnected with and potential impacts on business operations.

Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.