We all know that becoming a digital business is risky. It’s not simply that a greater proliferation of digital technologies opens the door to cyberattacks. It’s the fact that the same value that business leaders can realize from being digital offers an equal incentive for the cybercriminal. In short, systemic risk, inherent in complex digital business systems, is closely linked to the active threats of cybersecurity risk.

As we discovered from the recent SolarWinds breach, systemic risk exploitation is a growing issue in cybersecurity risk governance and management. The outcomes are serious and widespread. Class action litigation is already underway at SolarWinds related to risk disclosures on systemic risk issues surrounding its products and customers.  

Boardrooms have a core responsibility to all risk and leadership’s commitment to setting risk boundaries is fundamental. In 2018, the SEC issued express guidance on cybersecurity risk with Delaware Supreme Court Chief Justice Collins J Seitz Jr. declaring: "Boards must be able to demonstrate credibly that they're thinking proactively about potential systemic risks."[1]

Cybersecurity risk metrics are only half the story in corporate boardroom reporting. Without alignment between business value and the cybersecurity risks threatening that value, corporate directors can't effectively assess and understand their entire risk profile.

<<< Start >>>

Boards need to understand whether they are playing a high-risk or low-risk game with cybersecurity alongside the amounts at stake when it comes to their digital business system.

<<< End >>>

Here’s where CIO's and CISO's can bridge the gap between practical cybersecurity measures and the business strategy. They need to convey the business value that digital business systems deliver alongside the threats to it. This will help reduce litigation risk and business risk, while elevating themselves in their leadership teams' eyes.

Betting on avoiding risk

The International Organization for Standardization (ISO) defines risk in these terms:

  • Risk appetite: Amount and type of risk that an organization is willing to pursue or retain.
  • Risk tolerance: The organization's or stakeholder's readiness to bear the risk after risk treatment to achieve its objectives.

In layman's terms, risk appetite relates to what's at stake, while risk tolerance relates to the risks that the company accepts to that stake. If we illustrate with an example of somewhere that’s used to high risk, Las Vegas, risk appetite is the amount of money you gamble with, while risk tolerance relates to the games you choose to play.

Playing Keno, a game that can have a house advantage of up to 40%, shows a much higher tolerance for risk when compared to a blackjack player, where the house advantage can be less than 2%. Betting US$1 chips indicates a lower risk appetite than betting US$100 chips. What you win or lose is a factor of both issues.

Boards need to understand whether they are playing a high-risk or low-risk game with cybersecurity alongside the amounts at stake when it comes to their digital business system. A corporate board will only have a full understanding of cybersecurity risk when these concepts are aligned. 

For instance, knowing the cybersecurity risk metrics specific to an eCommerce system that drives US$1B in annual revenue is far more valuable to the board than just knowing how many phishing e-mails were opened by end-users or how many threats were detected.

Recognizing the specific cybersecurity risks that threaten personally identifiable customer information is useful. But knowing the dollar value of the regulatory fines that could be imposed if that information is exfiltrated gives corporate directors a far more accurate picture of the potential shareholder and customer value impacts of the potential risk.  

Identifying the critical systemic risk issues that extend to customers and the amount of customer revenue that could be threatened offers a comprehensive understanding of what's at stake and the risk levels that the company's products or digital business system introduce to that value.

What’s at stake?

CIOs and CISOs should strive to answer this question in their boardroom reporting: "What's the value of what we're protecting, and how secure is it for what we're spending to protect it." 

Three steps CIOs and CISOs should consider are:

  1. Align cybersecurity risk criteria with boardroom reporting: Cybersecurity risk is a constant battle between the digital business system's ability to deliver value for stakeholders and the risks that could impair those objectives. Whether the digital business system exists to generate revenue, deliver operating margin improvements, improve employee productivity, or offer customer convenience, value and risk must be aligned in boardroom reporting.
  2. Keep it real when assessing cybersecurity risk: Transferring cybersecurity risk through insurance has become common practice. But cybersecurity insurance has created a moral hazard—a false sense of cybersecurity while actual risk levels have continued to grow. Fast-rising Directors & Officers and cybersecurity risk insurance premiums are now forcing corporate boards to understand better the realities of the systemic and cybersecurity risks inherent in their digital business systems and what is truly at stake. Moreover, many risks related to digital business systems are not insurable, such as brand impact or far-reaching systemic risks.
  3. Prevention is always better than cure: Stopping attacks, finding breaches faster, fixing breaches quicker, and reducing the impact of breaches are core concepts in cybersecurity risk management. Research from our Third Annual State of Cyber Resilience report indicates that the leaders who do this effectively are up to 4X better at it than others.

In a high risk environment, leaders who understand both what's at stake with their digital business system and the risks to that stake are best placed for success. 

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

___

[1] Lewis, Michael J., “Independent Directors Mitigate Legal Risk,” Private Company Director, MLR Media, December 2020 Volume 7 No. 2

Robert Kress

Managing Director – Accenture Security, Global Quality and Risk Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog