The cyber threat landscape is complex and continuously changing – risk reporting based solely on cyber security controls compliance is no longer enough. Reports need to be threat and risk focused and data-driven, showing incremental improvements and value from investments.
The challenge is that most organisations struggle to answer fundamental questions, such as what needs to be secured, what cyber risk data to measure, and the likely impact of a security incident. As a result, they are failing to get a return on their cyber security spend.
According to a recent PwC global survey, more than half (55%) of business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks. Effective cyber risk reporting helps give key stakeholders – such as the board or regulators – a level of assurance that the right decisions are being made.
Furthermore, boards increasingly acknowledge that cyber risks are impacting other areas of their organisation. For example, strategic decisions to address ESG (environmental, social and governance) initiatives might be closely linked to activities to mitigate cyber threats, including increasing digital trust and the protection of national infrastructure. By quantifying cyber risk and its impact on other areas, organisations can better demonstrate how their cyber security spend helps to mitigate emerging threats and supports their strategic goals.
Effectively cyber risk management requires proactive governance from senior executives. This is very different to the more reactive governance which is commonplace in most organisations.
Reactive governance typically involves the CISO or CIO being challenged on metrics they present regarding the effectiveness of security controls and the business’ exposure to certain cyber threats. The assumption is that the CISO or CIO can keep the business secure with the right investment. That is extremely hard when the business keeps changing (e.g. M&A, launching new products, entering new markets, outsourcing, digitisation, and so on). The security function ends up playing whack-a-mole as it strives to secure an ever expanding and increasingly complex attack surface. This is a common reason why cyber risks are stuck in a red or amber status despite material investment in this space, much to the frustration of the senior executives.
Proactive governance means the executive leadership plays an active role in making the business more securable. Every major business decision has an implication on cyber risk. To be proactive, however, requires two things:
The executive committee needs to own the challenge of making the business more securable.
Depending on the organisation, CISOs can often be too busy with fire fighting incidents to take a step back and address the wider picture. Executive reports often focus on what can be reported rather than what should be reported, which can result in a misunderstanding of true cyber risk exposure.
Existing risk processes and tooling can also be a limiting factor and can need some improvement to manage and report effectively on cyber risk. For example, many existing governance, risk and compliance tools are not customisable enough to report to the c-suite on the relationship between a risk, a threat and a control.
Organisations that embark on a cyber risk management journey should start by understanding their level of maturity and establishing the key building blocks – including identifying and setting up the inter-relationships between risks, threat scenarios, key controls and metrics. Effort should then be spent on creating a dynamic dashboard visualising those building blocks and implementing a pragmatic approach for risk and control measurement. This is often done using a flexible business intelligence analytics tool, such as Tableau or Microsoft Power BI.
Pragmatism is key to ensuring the dashboards do not become “shelfware”, but instead are practical and sustainable. Key aspects to pragmatism include:
The CISO can then create dynamic dashboards linking risk alerts to the underlying data including threats, attack surface, capabilities and metrics to robustly support the messaging to the board.
Another quick win is to link cyber security projects to the key building blocks mentioned above, creating a dashboard that enables a pragmatic prioritisation of cyber investments.
Once the foundations are in place and a dynamic dashboard is implemented, risk measurement can be made more robust and less subjective.
The aim should be to develop what we call ‘continuous cyber risk monitoring’, using a dynamic dashboard updated from source data, i.e. using security tooling for continuous controls monitoring and real-time threat intelligence to update threat and risk scores.
The benefits of achieving this next level of cyber risk reporting include:
By improving cyber risk reporting, organisations can have more robust strategic conversations – both internally and with regulators – about the attack surface, their vulnerabilities, and how cyber investments are prioritised to manage the risk. This will also improve the organisation’s understanding of its cyber risk appetite, and strengthen strategic business decisions including mergers and acquisitions, divestments and investments.
To find out more information on how we can help you improve your cyber risk reporting capability through our proven Cyber Risk Reporting Platform, please contact us directly.
Philippe Korur
Senior Manager - Cyber Risk Reporting, Cyber Security, PwC United Kingdom
Tel: +44 (0)7526 179709