Although cybersecurity risks have attracted a lot of attention, many companies still treat cybersecurity risk primarily as an “IT problem,” rather than a core strategic risk area that’s closely intertwined with company strategy. This narrow perspective on cybersecurity risks can create blind spots and vulnerabilities in the way cybersecurity risk is assessed and managed.
The ultimate purpose of strategic management is to enable companies to achieve their strategic objectives and corporate purpose. Forces of change in information technology and the ever-increasing and complex nature of cybersecurity threats facing organizations create major challenges for understanding how to identify, assess, and manage these risks and opportunities as part of the strategic management processes of an organization. Research at the Strategic Risk Management Lab at DePaul University was presented at the 2019 American Accounting Association annual meeting describing a process for assessing and managing cybersecurity risks as part of the strategic management of an organization using a strategic risk assessment process.
A strategic risk assessment process can be used to assess and manage cybersecurity risks and to develop a cybersecurity risk profile that includes readiness as a primary element. (For more on the assessment process, see “The CFO and Strategic Risk Management,” Strategic Finance, January 2021.) Darren S. Guccione, CEO and cofounder of Keeper Security, a leading cybersecurity software company, shares his insights on how companies assess and develop readiness capabilities in order to assess, measure, and mitigate cybersecurity risks.
CFOS AND CYBERSECURITY RISKS
The CFO and finance organization are in a position to take a leadership role in assessing and managing cybersecurity risks. Risk management functions often reside in the CFO office.
MLF: What are the top things CFOs should do to protect the company from a cyberattack? What advice would you give to CFOs to assess and manage their cybersecurity risks?
DSG: It’s imperative that organizations have a cybersecurity action plan in place. A CFO, in coordination with all C-level executives (a cybersecurity team), should have a cybersecurity plan that covers five core elements:
As part of this cybersecurity plan, the organization should undergo a stringent self-assessment to identify gaps in their processes, internal controls, security, confidentiality, and technology.
STRATEGIC RISK ASSESSMENT
The strategic risk assessment process (shown in Figure 1) includes seven steps, representing a continuous process for organizations to assess and manage risks. The process is adapted from the strategic risk assessment process described in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2020 research report Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management.
For each of these steps, cybersecurity risks can be addressed as follows by the cybersecurity team.
In Step 1, understand the strategies of the organization, companies identify cybersecurity risks that would prevent the organization from achieving its strategic objectives and purpose. This includes assessing the key information assets as risk, including customer information and security access information that are at risk. In this step, we use the Return Driven Strategy framework.
In Step 2, gather data and views on cybersecurity risks (and opportunities), companies form a cybersecurity team to assess cybersecurity capabilities and identify key cybersecurity risks and opportunities. In this step, we use the Strategic Risk Management framework.
In Step 3, prepare a preliminary cybersecurity risk profile, companies develop a risk profile for cybersecurity risks. In this step, we develop a multidimensional risk profile as shown in Table 1.
In Step 4, validate and finalize the cybersecurity risk profile, the cybersecurity team validates and finalizes the key cybersecurity risk profile.
In Step 5, develop a cybersecurity risk management action plan for cybersecurity risks, the plan includes identifying and selecting risk responses, mitigation activities, risk monitoring; updating the assessment process; and risk reporting with balanced scorecard (BSC) strategy maps.
In Step 6, communicate the cybersecurity risk profile and action plans, the cybersecurity risk profile and action plan are communicated to the board of directors and management team. This requires the cybersecurity action plan previously mentioned.
In Step 7, implement the cybersecurity risk management action plan, the step moves to the next cycle, helping the continuous development of organizational knowledge and capabilities in assessing and managing cybersecurity risks as a company with a knowledge-building culture.
MULTIDIMENSIONAL STRATEGIC RISK PROFILE
The multidimensional strategic risk profile (shown in Table 1) includes the dimensions of likelihood and impact as well as a very important dimension “Readiness” (see the 2011 COSO report Embracing Enterprise Risk Management: Practical Approaches for Getting Started). It includes the following dimensions: likelihood, impact, speed/velocity, readiness, and priority.
MLF: What are the key things CFOs should do to access readiness for cybersecurity risks?
DSG: The first step in mitigating cyber risk is to prepare a cybersecurity plan that’s focused on mitigating the effectiveness of a cyberattack vector or defalcation from inside or outside the organization. As part of this, a System and Organizational Control (SOC) audit, including preparedness and planning for the audit, should be conducted. More specifically, SOC2 Type 1 and 2 assessments should be conducted. This is a great first step in cybersecurity planning because it includes the systems, controls, and protocols of the organization covering its confidentiality, privacy, and security. The audit will identify critical gaps in the organization that need to be remediated.
RISK DIALOGUE QUESTIONS
MLF: What are the risk dialogue questions CFOs should ask about cybersecurity risk and cybersecurity risk management capabilities?
DSG: There are several questions covering the five elements of a cybersecurity plan. A few core questions are:
- Is cybersecurity planning part of every process, product, and service that the organization practices and/or produces?
- Is cybersecurity planning a regular and active mechanism and a prioritized budget item at the organization?
- Is the organization involving all employees and contractors who transact and/or work on the organization’s systems, services, or products in cybersecurity training (e.g., phishing awareness, social engineering attack prevention, password hygiene, etc.)?
- Is the organization making a regular, active investment in cybersecurity staff, planning, training, and technology across all departments?
The bottom line is that the answer to each question should be “Yes.” The issue that organizations face today is that cybercriminals have become well-financed and more sophisticated with technology than ever before. Without a proper organizational mindset, it will simply be a matter of time until a major breach occurs.
This article is part of the Creating Long-Term Sustainable Value series launched by the October 2018 article (see Mark L. Frigo, with Dominic Barton, “Creating Greater Long-Term Sustainable Value”).