Cyber-attacks occur frequently, and the top management must acknowledge and conduct cyber risk assessments. Though technical details can be a bottleneck for proper analysis of the risk depth, you cannot sidestep the matter. So, focus on risk tolerance, cybersecurity vigilance benefits, and an informed workforce. In this article at Harvard Business Review, Daniel Dobrygowski and Derek Vadala share how you can convince top executives to focus on cyber risk assessments.
Reality of Cyber Risk Assessments
Cyber risk assessments help understand how prepared your company is in detecting, preventing, and resolving risks. The majority of these tasks were done by chief information security officers (CISOs) over the past ten years. Though they have successfully done their job, they have not considered the business impact these breaches and vulnerabilities cause.
The catch is, most of these reports and studies are based on previous attacks. Hackers are evolving their attack vectors regularly, so you must look at it from their perspective to create a solid defense wall.
You also miss the opportunity to create independent defense layers that could prevent cybercriminals from compromising the entire organization. Moreover, the technical details in the CISO report do not help the top executives to align with their cybersecurity strategy.
Ways to Assess Cybersecurity Risks
- Instead of looking at results from the cybersecurity teams, top executives must ask for reports on cyber risk assessments. Invite both the security department and senior leaders for regular brainstorming sessions. These meetings would help the IT teams to put their findings into a business context. Meanwhile, senior management will gradually become familiar with technical terminologies and risk severity.
- The board of directors must narrow down their organizational risk appetite. Once they sit down to discuss cybersecurity measures, they will come to realize that you cannot guard yourself completely from data leaks. So, then the questions they would want to have answers for are ‘What do our customers expect of us?’ and ‘How do peer companies approach these risks?’
- Instead of comparing with your rival companies, pay attention to the results you want to achieve. You cannot expect a military-grade defense mechanism in place for a retail shop. By performing cybersecurity risk assessments, top executives would discover the risks they can withstand and how to invest and boost cybersecurity.
- Cyber risk assessments can convince your board to implement security protocols, but the right culture can help integrate them in daily tasks. Engaged senior management and the right training and technologies can help achieve that, even for external stakeholders.
To view the original article in full, visit the following link: https://hbr.org/2020/09/does-your-board-really-understand-your-cyber-risks