How to align cyber risk management with business needs

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Sander Zeijlemaker, Research Affiliate Cybersecurity, MIT Sloan (CAMS), Managing Director, Disem Institute, Michael Siegel, Principal Research Scientist and Director, MIT CAMS, Daniel Goldsmith, Managing Director, Julius Education, Shaharyar Khan, Research Affiliate, MIT CAMS, System Engineer, Shell

• Living in an advanced digital society means that organizations need to have an in-depth understanding of cybersecurity in order to take effective action.
• The dynamic nature of cyber risk means that boards of directors must take a multi-dimensional approach in order to mitigate any potential impact.
• Leaders can develop better foresight to manage cyber risk through exploratory and interactive technology solutions, such as MIT CAMS.

We live in an advanced digital society, in which technological developments are evolving rapidly – with powerful networks, increasing interconnectedness, and highly automated concepts such as e-health, smart cities, and the Fourth Industrial Revolution playing increasingly prominent roles.

This rise of such technologies means that cybersecurity is an extremely important and growing precondition for a successfully functioning society.

Our new digital reality requires business leaders to adequately assess and govern cyber risk and executive decision-makers are needed, to have a strong understanding of cyber risk concepts and issues in order to take effective action.

However, both the dynamic nature of cyber risk and exponential growth in cyber attacks can introduce challenges in decision-making.

To that end, the World Economic Forum and its partners, in collaboration with the National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and PwC, have published six Principles for Board Governance of Cyber Risk to enable organizations to better manage and understand how to navigate cyber risk-related strategic and operational choices.

A key principle in this guidance is that boards of directors must “align cyber-risk management with business needs” across every facet of decision-making, including innovation, mergers and acquisitions, product development and more.

Exposure to cyber risk threatens reputation and customer trust

Leaders routinely face difficult decisions in managing cyber risk, as exposure to cyber risk may threaten reputation, customer trust and competitive positioning, and possibly result in fines and lawsuits.

In this context, leaders must cope simultaneously with shifting organizational priorities, changing budgets, technologies and employee headcounts as well as evolving adversary tactics and emerging security events, among other things.

This complexity as a whole is referred to as the dynamic nature of cyber risk.

However, executive decision-makers are often overwhelmed by the complexity and pressure to act when dealing with cyber risk issues and in such situations, the risk of security blind spots exist.

Scientific research indicates that 56% of experienced security specialists and managers take suboptimal decisions and these sub-optimal decisions may yield up to a 200% higher cost base.

Many approaches are available to support business leaders and executives in their role to define and implement a sustainable cybersecurity and cyber resilience strategy.

Examples include periodic risk assessments using industry recognized frameworks – such as NIST Cybersecurity framework, C2M2 and ISO 27001 – or execution of cyber event simulations and exercises.

Risk assessment is the process of identifying cyber risk and evaluating the consequences of these risks when they happen.

Cyber event simulations and exercises are techniques that mimics cyber attacks in a controlled manner. Often, they appear as tabletop exercises or approved predefined attacks against the defender’s infrastructure.

Although these activities are helpful in establishing a baseline for cyber risk management, the dynamic nature of cyber risk is not captured. They can be best described as a one-dimensional approach, resulting in decision-makers frequently underestimating risk.

In their most advanced form, these activities can capture the near real-time situation, while business leaders and executives also have a need to see what the future outcome of their intended decisions.

Therefore, forecasting decision support systems for cyber risk management are needed. These systems require dealing with multi-dimensional dynamic problems, such as dynamic nature of cyber risk, and nonlinear variables, like the exponential increase in cyber attacks, so that they can represent the organizations that are managed.

Forward-looking cyber risk management decision support system

MIT CAMS has developed a cyber risk dashboard that provides the means to establish forward-looking projections on multiple critical performance indicators relevant to an organization’s cybersecurity strategy because there was a lack of solutions that captures the dynamic nature of cyber risk.

The MIT CAMS dashboard accounts for the dynamic nature of cyber risk as it is supported by scientifically-grounded computational modelling. The simulation is based on control theory and uses stocks and flows determined by differentially equations to represent the actions of people, process and technology in an organization.

It considers the dynamic effects as well as the interdependency of various security efforts, enabling strategic and effective cyber risk management decision-making.

The dashboard focuses on a highly innovative approach that enables leaders to simulate the impact of their decisions before making large investments. It exists to determine what areas organizations want to optimize when it comes to prioritization.

An anonymized exploratory case study leveraging the CAMS dashboard was conducted at a Fortune-500 company called Smart Wealth Management Inc.

As part of the case study, common managerial challenges such as resource allocation and budget prioritization were selected as levers to analyze their impact on cyber risk management decisions and the broader cybersecurity strategy.

This was done as the CAMS dashboard mimics a real-life decision-making environment in a safe and isolated testing, or sandbox, environment. This provides leaders the means to explore and experiment with a wide range of strategic decisions without true cyber impact on the organization.

Poor cyber risk management can negatively impact an organization

An important lesson from the case study was that poor cyber risk management decisions can impact and cripple the entire organization. Effective interventions need to consider the interconnectedness of decisions and the interactions between different mechanisms and departments prevalent in the organization.

Another important lesson from the case study was that traditional approaches can be augmented by the CAMS dashboard.

In our case study, we used Smart Wealth Management’s existing cyber risk reports and assessments to populate the model parameters for simulation and analysis.

This approach has sustainable advantages for executives as they can:

• Visualize how their strategic choices will evolve in real life through organizational-specific simulations.
• Observe how strategic choices can contribute to maintain the organization’s risk appetite.
• Prioritize cyber budgets and resource allocation to ensure timely risk response.
• Identify counterintuitive strategies that maximize the benefits of cyber risk management decisions.

Executives must do more on managing and mitigating cyber risk

Ongoing exponential growth in cyber attacks presses executive decision-makers more to stay ahead of the curve.

Reacting after the fact can be very costly and increase needs for regulatory ex-post evaluation and sanctioning. We see and understand that cyber risk is dynamic in nature, and now we must act on it.

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:

• Training a new generation of cybersecurity experts
  Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
• Building a global response to cybersecurity risks
  The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• Improving cybersecurity in the aviation industry
  Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
• Making the global electricity ecosystem more cyber resilient
  The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Through exploratory and interactive technology solutions, leaders can develop better foresight to manage economic aspects of cyber risk and alignment to business needs.

The CAMS dashboard is leading example of this direction.