By Thomas Lyden, SSIC Managing Director
The business community needs to understand that cyber risk is just one of many types of business risk, including operational, competitive, and economic risk.
With any business risk you have to identify it, develop a strategy to manage it, measure your exposure from it, develop your hedges and the set of controls to mitigate it, and finally, establish the right governance oversight and metrics to communicate it. Other business risks—outside of cyber—all have established metrics. For instance, a widely-used method to measure exchange rate risk is the value-at-risk model. Broadly, value at risk is defined as the maximum loss for a given exposure over a given time horizon with z% confidence.
Cyber leaders need to quantify their risks as it applies directly or indirectly to their overall enterprise risks. It’s time to understand that cyber risk is business risk.
The results of poor measurement, poor metrics, and poor communication has CISOs/CSOs under fire and boards getting more and more involved. Smart businesses are starting to question their security spend, ask business questions (not purely technical ones) related to cyber risk, and look for metrics to make better business decisions and communicate the true business risk that cyber represents to their organization.
At the same time, leadership and boards are getting smarter on their cyber risk-transfer options (i.e., cyber insurance). Cyber risk is simply another risk, and forward-thinking leaders understand this, as well as how cyber risk factors into the larger risk management industry.
As someone who’s a 20 plus year member of this industry, it’s clear that cyber security is maturing into cyber risk. Executives and boards need to embrace this change, and learn how to factor cyber risk into their business strategies.