Aligning business value in cybersecurity reporting
March 8, 2021
March 8, 2021
We all know that becoming a digital business is risky. It’s not simply that a greater proliferation of digital technologies opens the door to cyberattacks. It’s the fact that the same value that business leaders can realize from being digital offers an equal incentive for the cybercriminal. In short, systemic risk, inherent in complex digital business systems, is closely linked to the active threats of cybersecurity risk.
As we discovered from the recent SolarWinds breach, systemic risk exploitation is a growing issue in cybersecurity risk governance and management. The outcomes are serious and widespread. Class action litigation is already underway at SolarWinds related to risk disclosures on systemic risk issues surrounding its products and customers.
Boardrooms have a core responsibility to all risk and leadership’s commitment to setting risk boundaries is fundamental. In 2018, the SEC issued express guidance on cybersecurity risk with Delaware Supreme Court Chief Justice Collins J Seitz Jr. declaring: "Boards must be able to demonstrate credibly that they're thinking proactively about potential systemic risks."[1]
Cybersecurity risk metrics are only half the story in corporate boardroom reporting. Without alignment between business value and the cybersecurity risks threatening that value, corporate directors can't effectively assess and understand their entire risk profile.
<<< Start >>>
Boards need to understand whether they are playing a high-risk or low-risk game with cybersecurity alongside the amounts at stake when it comes to their digital business system.
<<< End >>>
Here’s where CIO's and CISO's can bridge the gap between practical cybersecurity measures and the business strategy. They need to convey the business value that digital business systems deliver alongside the threats to it. This will help reduce litigation risk and business risk, while elevating themselves in their leadership teams' eyes.
The International Organization for Standardization (ISO) defines risk in these terms:
In layman's terms, risk appetite relates to what's at stake, while risk tolerance relates to the risks that the company accepts to that stake. If we illustrate with an example of somewhere that’s used to high risk, Las Vegas, risk appetite is the amount of money you gamble with, while risk tolerance relates to the games you choose to play.
Playing Keno, a game that can have a house advantage of up to 40%, shows a much higher tolerance for risk when compared to a blackjack player, where the house advantage can be less than 2%. Betting US$1 chips indicates a lower risk appetite than betting US$100 chips. What you win or lose is a factor of both issues.
Boards need to understand whether they are playing a high-risk or low-risk game with cybersecurity alongside the amounts at stake when it comes to their digital business system. A corporate board will only have a full understanding of cybersecurity risk when these concepts are aligned.
For instance, knowing the cybersecurity risk metrics specific to an eCommerce system that drives US$1B in annual revenue is far more valuable to the board than just knowing how many phishing e-mails were opened by end-users or how many threats were detected.
Recognizing the specific cybersecurity risks that threaten personally identifiable customer information is useful. But knowing the dollar value of the regulatory fines that could be imposed if that information is exfiltrated gives corporate directors a far more accurate picture of the potential shareholder and customer value impacts of the potential risk.
Identifying the critical systemic risk issues that extend to customers and the amount of customer revenue that could be threatened offers a comprehensive understanding of what's at stake and the risk levels that the company's products or digital business system introduce to that value.
CIOs and CISOs should strive to answer this question in their boardroom reporting: "What's the value of what we're protecting, and how secure is it for what we're spending to protect it."
Three steps CIOs and CISOs should consider are:
In a high risk environment, leaders who understand both what's at stake with their digital business system and the risks to that stake are best placed for success.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.
___
[1] Lewis, Michael J., “Independent Directors Mitigate Legal Risk,” Private Company Director, MLR Media, December 2020 Volume 7 No. 2