resilience (n.)
1620s, "act of rebounding or springing back." From Latin resiliens, "to rebound, recoil," In physical sciences, the meaning "elasticity, power of returning to original shape after compression, etc." by 1824. – Online Etymology Dictionary
The Risk Of Isolation in the not too distant past, when capital flowed and postponing profitability was a badge of honor, finance teams transferred risk and security teams mitigated it – often in complete isolation. They didn’t align their objectives – nor were they motivated to do so. After all, times were good and nobody seemed to care – until now.
– Fitch Ratings
“Corporate and infrastructure cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks owing to economic uncertainty… Cybersecurity investment is not immune to overall budget cuts that could increase downside risk of attacks”
Due to severe financial headwinds, security budgets are now scrutinized and the value of insurance is brought into question. This is also done in isolation – which courts catastrophe. As budgets for security controls get cut, the likelihood of compromise grows. Similarly, as insurance investment shrinks, the likelihood of loss grows. One cost-cutting effort compounds the other.
The Need For Shared Objectives
When isolation of responsibility and financial duress meet, it naturally leads to cost cutting. The knife will be raised without an integrated view of the cost of risks to the organization being calculated. Leadership calls it risk acceptance. But can risks truly be accepted that haven’t been calculated? No. That’s nothing more than unstructured worry, as one praying to Fortuna (lady luck) hoping to avoid a bad day. The good news is that you can structure and manage your worries. It requires finance and security to share, align, and prioritize strategic objectives. Those objectives consider how business opportunity and risk mitigation work together – particularly when under duress - and support making informed trade-offs when necessary. We call this alignment of objectives Cyber Resilience.
The Call To Cyber Resilience
To be successful in this digital economy, a company must now be Cyber Resilient and integrate its risk mitigation, risk acceptance, and risk transfer so it can take a hit without impacting its ability to deliver value. This requires operating from a core set of principles and practices that tear down the walls of isolated objectives, leading to an integrated and economically efficient approach to managing cyber risk.
The Five Principles Of Cyber Resilience
Cyber Resilience tolerates losses – within limits. This is different to most security strategies, which portray complete loss elimination as an end goal. Operating with shared, aligned, and prioritized objectives reveals what the business can tolerate to lose – without incurring operational disruption. For example, “With this configuration of controls, we can live with a 5% chance of losing $10 million and a 1% chance of losing $25 million…”
Cyber Resilience connects security with insurance – avoiding silos. Security investments reduce the likelihood of loss. Insurance investments reduce impact. They work together (as opposed to in isolation) to keep risk within tolerance. That means they consider both the probabilities and dollar-based impacts expressed above as important trade-offs.
Cyber Resilience seeks capital efficiency - while preventing hazards. Over or under investing in protection leads to distraction— or worse. The former takes needed capital away from important business opportunities. The latter (negligence) threatens the business with outsized losses. Resilience optimizes return on controls and insurance so you can keep risk within your tolerance. The goal is to have a set of
rank-ordered strategies that satisfy your needs while avoiding the pitfall of moral hazard.
Cyber Resilience makes cybersecurity visible – so it can be managed. Keeping risk within tolerance requires seeing what’s coming, counting the costs, and responding in kind. This starts with the integrated trio of threat intelligence, vulnerability management, and incident response. Security data is analyzed in relation to the financial losses your business may face. Losses include things like: a data breach, business disruption, extortion, wire-fraud and more. Analysis leads to optimized decisions – decisions that cut across investment strategies and day-to-day security operations.
Cyber Resilience incentivizes cyber hygiene – by maximizing ROI. What is good cyber hygiene? It’s security controls that target the value at risk. It’s also controls that meet industry standards – thus avoiding the perception of moral hazard. Control acquisition and rollout is rank ordered based on return on investment (ROI). High ROI controls reduce the most loss at the lowest cost. Maximizing ROI allows for more controls spread across more risks – which leads to better cyber hygiene. As an added bonus, demonstrable cyber hygiene leads to better insurance terms.
The Practices Of Cyber Resilience
If you want to be a cyber resilient leader, you need to not only embrace the principles of cyber resilience – you must develop the following practices:
Risk Superforecasting: Cyber resilient leaders are trained (like bookies) in risk forecasting. They use their forecasting skills to make accurate measurements and judgements about important (and often uncertain) events that can affect key objectives.
Calculating Value at Risk: Cyber resilient leaders know how to accurately gauge the potential losses they face from threats. Using superforecasting skills they assess the probabilities that threats materialize, and then evaluate the range of losses that may occur to the value their businesses expose.
Resilient Strategy Design: Cyber resilient leaders create strategies that minimize both the likelihood and impact of compromise. Strategies are economically efficient combinations of controls and insurance that keep risk within tolerance without introducing moral hazard.
Resilient Operations Measurement: Cyber resilient leaders know how to measure their operational strategies when put into action. Visibility coming from threat intelligence, the state of cyber hygiene, and value-at-risk is continuously analyzed. If risk tolerance is threatened, actions are taken to bring risk back within tolerance by adjusting security controls and insurance.
Resilient Communications: Cyber resilient leaders are trained to effectively quantify, qualify and communicate about cyber risks. They tell the money people and board what is needed and why (in economic terms) – and they have the operational data and analytics to defend their budgets when scrutinized.
Creating a new role around Director, Cyber Resilience
We believe that the principles and practices of cyber resilience necessitate a new leadership role. We are notionally calling it the Director, Cyber Resilience. It sits between finance, security and risk management. The role’s leveling is based on the dual strategic and operational nature of the job. Strategically, the Director is responsible for developing a cyber resilient strategy. That is an executive function that collaborates across CFOS, Risk Managers, and CISOs..
Operationally, the job includes ample amounts of analytics to support decision making and alerting. Visibility coming in from security operations like threat intelligence, vulnerability management, and incident response is analyzed in relation to value exposure. Results from analytics are used to determine (and alert) if risk is out of tolerance. Ultimately, the Director’s objective is keeping cyber risk within tolerance. They are accountable to governing that process. That means they work with the responsible organizations by doing the following:
● Advocating for cybersecurity capabilities that are economically efficient,
target value at risk, and avoid moral hazard - all informed by continuous
operations analysis and backed by a resilient strategy.
● Recommending changes to insurance limits and related coverage – helping
to keep risk within tolerance in conjunction with recommended cybersecurity
capabilities.
● Transferring and or mitigating risk that has been accumulated under the
guise of “risk tolerance” that can lead to loss and the ensuing perception of
moral hazard.
Conclusion
– Plato.
“Necessity, the mother of all inventions.”
Risk leaders must make trade-offs. They must respond responsibly to economic headwinds. And they must react to the myriad threats created by digital transformation. A cyber resilient leader makes those tradeoffs without exacerbating loss nor incurring moral hazard. They operate from a set of principles that emphasize building economically efficient strategies. Efficiency maximizes return on security controls and insurance together – protecting the value the business puts at risk. In day-to-day practice, the resilient leader uses modern analytics fueled by
increased cyber visibility – responding to risk that threatens to exceed business tolerance
