Starting on the journey to data-driven cyber risk reporting

The cyber threat landscape is complex and continuously changing – risk reporting based solely on cyber security controls compliance is no longer enough. Reports need to be threat and risk focused and data-driven, showing incremental improvements and value from investments.

The challenge is that most organisations struggle to answer fundamental questions, such as what needs to be secured, what cyber risk data to measure, and the likely impact of a security incident. As a result, they are failing to get a return on their cyber security spend.

According to a recent PwC global survey, more than half (55%) of business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks. Effective cyber risk reporting helps give key stakeholders – such as the board or regulators – a level of assurance that the right decisions are being made.

Furthermore, boards increasingly acknowledge that cyber risks are impacting other areas of their organisation. For example, strategic decisions to address ESG (environmental, social and governance) initiatives might be closely linked to activities to mitigate cyber threats, including increasing digital trust and the protection of national infrastructure. By quantifying cyber risk and its impact on other areas, organisations can better demonstrate how their cyber security spend helps to mitigate emerging threats and supports their strategic goals.

Effective cyber security governance

Effectively cyber risk management requires proactive governance from senior executives. This is very different to the more reactive governance which is commonplace in most organisations.

Reactive governance typically involves the CISO or CIO being challenged on metrics they present regarding the effectiveness of security controls and the business’ exposure to certain cyber threats. The assumption is that the CISO or CIO can keep the business secure with the right investment. That is extremely hard when the business keeps changing (e.g. M&A, launching new products, entering new markets, outsourcing, digitisation, and so on). The security function ends up playing whack-a-mole as it strives to secure an ever expanding and increasingly complex attack surface. This is a common reason why cyber risks are stuck in a red or amber status despite material investment in this space, much to the frustration of the senior executives.

Proactive governance means the executive leadership plays an active role in making the business more securable. Every major business decision has an implication on cyber risk. To be proactive, however, requires two things:

  1. a good level of understanding of cyber risk by the executive, and
  2. access to management information that clearly articulates how the organisation’s attack surface is changing (e.g. high risk users, critical applications and suppliers, digital channels, etc) and the coverage of the associated security controls.

The executive committee needs to own the challenge of making the business more securable.

Challenges with communicating with the C-suite

Depending on the organisation, CISOs can often be too busy with fire fighting incidents to take a step back and address the wider picture. Executive reports often focus on what can be reported rather than what should be reported, which can result in a misunderstanding of true cyber risk exposure.

Existing risk processes and tooling can also be a limiting factor and can need some improvement to manage and report effectively on cyber risk. For example, many existing governance, risk and compliance tools are not customisable enough to report to the c-suite on the relationship between a risk, a threat and a control.

Getting started with cyber risk reporting: a focus on pragmatism

Organisations that embark on a cyber risk management journey should start by understanding their level of maturity and establishing the key building blocks – including identifying and setting up the inter-relationships between risks, threat scenarios, key controls and metrics. Effort should then be spent on creating a dynamic dashboard visualising those building blocks and implementing a pragmatic approach for risk and control measurement. This is often done using a flexible business intelligence analytics tool, such as Tableau or Microsoft Power BI.

Pragmatism is key to ensuring the dashboards do not become “shelfware”, but instead are practical and sustainable. Key aspects to pragmatism include:

  1. Moving away from reporting on every metric / control, and focusing just on the key ones.
  2. Leveraging point-in-time maturity assessment data where operational data is not currently available.
  3. Building a pragmatic risk model which enables automation and real-time updates, and is flexible enough to evolve over time.

The CISO can then create dynamic dashboards linking risk alerts to the underlying data including threats, attack surface, capabilities and metrics to robustly support the messaging to the board.

Another quick win is to link cyber security projects to the key building blocks mentioned above, creating a dashboard that enables a pragmatic prioritisation of cyber investments.

Taking cyber risk reporting to the next level

Once the foundations are in place and a dynamic dashboard is implemented, risk measurement can be made more robust and less subjective.

The aim should be to develop what we call ‘continuous cyber risk monitoring’, using a dynamic dashboard updated from source data, i.e. using security tooling for continuous controls monitoring and real-time threat intelligence to update threat and risk scores.

The benefits of achieving this next level of cyber risk reporting include:

  • Improving control monitoring through source tools where possible.
  • Improving risk measurement by introducing risk quantification models (i.e. move away from a basic system such as red, amber and green to quantification, timelines and scenario planning).
  • Using automation to enable continuous risk reporting instead of having to chase employees to update data manually, helping to reduce time and effort.

By improving cyber risk reporting, organisations can have more robust strategic conversations – both internally and with regulators – about the attack surface, their vulnerabilities, and how cyber investments are prioritised to manage the risk. This will also improve the organisation’s understanding of its cyber risk appetite, and strengthen strategic business decisions including mergers and acquisitions, divestments and investments.

To find out more information on how we can help you improve your cyber risk reporting capability through our proven Cyber Risk Reporting Platform, please contact us directly.

Contact us

Alex Petsopoulos

Alex Petsopoulos

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7941 454210

Philippe Korur

Philippe Korur

Cyber Security Director, PwC United Kingdom

Tel: +44 (0)7526 179709

Follow us