Cyber, data and technology risks, and relevant understanding
AICD’s latest Director Sentiment Index survey shows that cyber crime ranks as the standout issue “keeping directors awake at night”.
Even in the current fiscal environment dominated by inflationary concerns, more than half of the Australian directors surveyed reported that the risk of cyberattacks is directly influencing their board’s risk appetite.
The importance of relevance
Whilst it is positive to see concerns around cyber risks being considered “at the top” and so seriously, it is imperative organisations go deeper beyond the generalisation of cyber risks and seek to truly understand what it is, specifically about cyber, data and technology risks that are keeping them up at night. Directors need to seek to understand how cyber risk is relevant to their organisations.
Following the well publicised late 2022 data breaches impacting a number of large organisations, much rhetoric followed from directors and the executive with respect to concerns in falling victim to a Medibank or Optus “type of event”.
The question begs, why were directors concerned about these events specifically, and how did they think it related to them? Much of the concern and rhetoric originated from directors and organisations not of the size, scale or even industry sector of these victims.
The value of tailored reporting
Further, pro-activeness with respect to Cyber risk is essential, however reporting for the sake of reporting will fundamentally add little value. If investing time, effort and capital into cyber strategy and understanding, it is important to effectively leverage resource commitment to translatable, relevant risk reporting.
I.e., what is being reported and why? Reporting the results of phishing tests, or mitigated vulnerabilities may resonate with the person responsible or reporting these numbers, however directors, the executive and Boards speak a broader, business strategy driven language and seek to understand cyber, data and technology risk and associated strategy in terms that are more quantifiable, with the language tailored to what resonates: How much risk a security program will mitigate – in dollars and cents.
As an organisation comes to an understanding of how much risk it’s willing to accept, risk quantification and decision justification enables a clear understanding of ROI in financial terms.
Conclusion
Our CISO-as-a-Service translates, and draws a direct line between cyber strategy, and the associated impact it has in mitigating risk and enabling the business to service clients, seize opportunities, and in some cases even leverage off their cyber security posture as a business enabler. I.e., Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave?
If a sales cycle can be shortened, and associated with proof that security gained more sales, it can be highly persuasive executive and Board. “Today, three customers walked away, but tomorrow none will."
A strong cyber foundation is increasingly critical to brand reputation, customer trust and loyalty, operational stability, and revenue growth. The extent to which leaders embed cyber thinking, planning, and action into business initiatives - with the help of independent experts delivering strategy in clear and relevant language - is increasingly showing to have a direct effect on the success of those businesses.
Whilst RedBelts are market leading in our technical cyber security knowledge and capabilities, we are underpinned by a broader executive risk management focus and base of expertise, allowing us to align and translate cyber, data and technology strategy with our clients, in a manner that brings confidence, understanding and certainty, enabling broader business strategy.
Reference
Leave a Comment