Rethinking how we relay risk - why poor cyber-risk reporting is still an issue
Risk may be now on the corporate agenda but cyber-risk reporting remains an issue. So James Henry asks how do we ensure risk becomes actionable intelligence?
James Henry, UK southern region manager, Auriga
High profile data breaches have seen cyber-risk move up the corporate agenda in recent months, but the picture is still far from rosy. Board execs admit they still feel out in the dark in many respects, with up to 90 percent briefed annually and only a third briefed quarterly. Moreover research among FTSE 350 CEO's, NEDs, and Chairs of Audit Committees found 70 percent felt ill-informed because they received limited cyber-risk management information.
One need only look at the recent TalkTalk data breach to see the impact of weak risk management and incident response. The operator was fully compliant and yet the board failed to make that vital connection: that compliance does not equal security. Consequently, CEO Dido Harding was faced with reassuring a customer base with very little information to hand as the company fought to determine the true extent of the data loss. And TalkTalk is by no means atypical.
While the board is undoubtedly more sensitive to cyber-risk, getting their hands on the necessary information in a timely fashion remains a difficult process. Rigid reporting structures, poor understanding of risk by non-risk personnel, and a lack of extensive application across all touch points in the organisation are all compromising how risk is assessed and reported. Risk is typically assessed by the IT team, who then report to the CIO who reports to the CFO, which can rapidly become a game of Chinese whispers, with each participant influencing the process. For the CFO, it's all about the numbers and when the time comes to cut the fat, the priority is to demonstrate return. That can be extremely difficult when it comes to risk.
Even those personnel directly involved in the assessment of risk can tend to downplay or even ignore cyber-threats because they are so intangible. In a recent report dubbed ‘The European Cyber Risk Survey 2015' by insurance broker, Marsh (October 2015) it was found 30 percent placed it outside the Top 10, while 25 percent of those polled did not include cyber-risk on risk register at all, suggesting it's at best misunderstood, at worst completely sidelined.
Finally, there's the issue of external suppliers, which are often omitted from the risk management process (or the assumption is made that the third party's own procedures will prove to be suitably diligent). Estimates suggest that more than 60 percent of breaches arise through connection with a third party supplier, yet the same Marsh report cited above found 77 percent of those surveyed did not assess the suppliers they traded with for cyber-risk.
So how do you prevent risk being distorted, mis-communicated or ignored? In the UK Government Guidelines ‘Principles of effective cyber risk management' published at the BETA stage in March, the key recommendations were to create a workable culture and environment centred on security. The following top five are the key priorities to aim for:
• Focus on enabling the business rather than governance and process
• Favour informed decisions made by competent people over adherence to methods
• Use business language rather than specialist terms
• Prioritise timely decisions rather than seek the elimination of uncertainty
• Support continuous risk management rather than one-off assessments
One way of achieving real gains is to outsource cyber-risk management processes by using a Managed Security Service (MSS) to perform risk assessment, compile the risk register and to review this frequently to ensure it remains current. Outsourcing some or all of the risk management function is objective, so will not be influenced by the idiosyncracies of the staff; applies a consistent approach across the enterprise; and, it gives access to a highly specialised task force who are able to recognise and act on sector-specific threat intel.
Ideally, cyber risk management should be a continuous process, with the board alerted to specific threats and opportunities for the business. Today, risk management is rigid, the board is fed a minimum of information on a quarterly basis at best, and the business is exposed to threats as a result. It's only by improving the chain of command, with a better relay of information, that risk management can truly realise its potential.
Contributed by James Henry, UK southern region manager, Auriga