Cyberrisk Governance: A Practical Guide for Implementation

Aleš Zupan
Author: Aleš Zupan, Ph.D., CISA, CRISC, CGEIT, CSX-P, CISSP
Date Published: 18 January 2021

Despite cybercrime cost amounting to more than US$1 trillion globally in 2020—more than 1% of the global domestic product (GDP)—the topic still does not receive sufficient attention at the board and C-suite levels in organizations, according to a report conducted by the Center for Strategic and International Studies (CSIS) and McAfee.1 So, why is it so difficult to get the boards interested in cybersecurity? Is the topic too technical or too intangible? How can this be changed?

Start With Cyberrisk Governance at the Granular Level

If cyberrisk (or any other risk) is described in a way that is too abstract (e.g., the organization falls victim to a ransomware attack and confidential information is disclosed to unauthorized personnel), the identified risk may not seem very tangible or actionable. This leaves board members unable to connect the identified high-level cyberrisk directly to the strategic or operational goals of the organization, causing them to lose focus on the security issue at hand. The cyberrisk then becomes the sole responsibility of the technical departments of the organization, breaking the connection between the information assets and the business goals of the organization.

One possible solution is to establish a federated model of cyberrisk governance through the creation of risk governance boards throughout the organization, from the business unit level all the way up to the board of directors (BoD). Depending on the size and structure of the organization, the risk governance boards at the business unit level may be established at the production unit, within a functional department (e.g., finance, human resources [HR], sales) or by geography (e.g., state, region, country). At this level of the organization, business owners still know their information assets (e.g., information, applications, service providers, vendors) in detail and understand the impact made on operations if any of these assets are not available or if information is inappropriately disclosed or changed.

The risk governance board should be headed by a senior businessperson within the business unit who can allocate both financial and human resources, and is authorized to accept the risk. Additionally, the board should include owners of critical information assets from the business side and representatives from the technology, information and cybersecurity, and risk management functions.

The agendas of the risk governance board meetings should be fairly consistent. The board reviews the existing cyberrisk and remediation treatment progress, compliance deviations, incidents, exceptions, results from vulnerability scans and security patching, and cyberthreat intelligence. All data, which should be presented in the form of a dashboard with key risk indicators (KRIs), are supported by details for each concrete information asset in possession of the business unit (figure 1).

Figure 1—Cyberrisk Dashboard for Leadership
Figure 1—Example Cyberrisk Dashboard for Leadership

View larger image

The risk governance board is thus able to monitor the cyberrisk posture of its own information assets, make decisions about risk treatment, supervise the remediation efforts and (re)allocate resources to the most important activities.

The dashboard for business units contains more detailed information in the same categories, however, it is associated with an individual or a group of information assets.

Aggregate Information and Report to ERM and C-Suite Stakeholders

The cybersecurity team participates in every cyberrisk governance board at the business unit level. They collect detailed information from each business unit and, by analyzing it, can identify patterns of deficiencies, areas of delayed or stalled remediation activities, new emerging risk, and more. They can aggregate the risk factors from different business units and map them to the organizationwide risk impact and likelihood levels. The holistic view is presented to the chief information security officer (CISO)/cybersecurity head, who can approve the aggregation results and convey the cyberrisk posture to the organization’s risk board. Depending on the organization, this could be the enterprise risk management (ERM) committee, risk committee of the board or the board itself.

To prepare for cyberrisk reporting at the organizational level, it is essential to define the risk taxonomy categories and their risk appetites.

Use Common Risk Taxonomy Throughout the Risk Identification, Aggregation and Reporting Chain

An essential component of positioning cyberrisk governance side-by-side with other risk governance is a well-defined and agreed-upon risk taxonomy. Additionally, the organization must define and come to an agreement about its risk appetite for individual risk categories. The same risk taxonomy should then be used to categorize the risk areas at the business unit level, at the aggregation level and at the board level. The benefit of this approach is that the reporting for cyberrisk comes in the same shape and form as all other risk. It allows for simple aggregation from the business unit to the organizational level and, vice versa, allows the breakdown of strategic cyberrisk from the organizational level to the business unit level and, eventually, to individual information assets.

By assigning the cyberrisk to different risk taxonomy groups (e.g., operational, financial, reputational), the language of cyberrisk reporting becomes the same as the language used for other risk and thus gains recognition and acknowledgement at the organizational level.

Initially, the information flow is bottom-up. As this model matures, additional benefits begin to appear naturally. Encouraged by detailed, bottom-up status reporting in business language using predefined taxonomy and risk levels, the members of the ERM committee and the board begin identifying top-down, strategic areas of cyberrisk that influence the selection, design and operations of technology (figure 2).

Figure 2—Cyberrisk Governance Model
Figure 2—Cyberrisk Governance Model

One could argue that this approach is not very different from the abstract-level approach questioned earlier. However, there is a significant difference. Every KRI, financial impact or compliance deficiency has a full set of supporting evidence that can be drilled down to the business unit level, or even the information asset level. This evidence assures board members that the risk is real and tangible, the identification method is structured and systematic, and cyberrisk management is important and should be treated like any other risk. The strategic cyberrisk areas identified at the organizational level find the path to operations quickly, thus closing the loop of efficient and effective cyberrisk governance in the organization.

Endnotes

1 Smith, Z.; E. Lostri; The Hidden Cost of Cybercrime, Center for Strategic and International Studies and McAfee, USA, 2020

Aleš Zupan, CISA, CRISC, CGEIT, CSX-P, CISSP

Is an experienced IT executive with more than 20 years of experience in large global telecom and pharma corporations where he held positions as chief information officer (CIO), CISO, head of IT governance, risk and compliance (GRC) and cybersecurity awareness and training manager. In 2018, Zupan founded consulting company, Brightstar Consulting, Ltd., in Ljubljana, Slovenia, which offers IT, GRC and cybersecurity consultancy services. He can be reached at ales.zupan@brightstar-consulting.com.