When it comes to cyber risks, there are three types of companies: The “scaredy-cat” does as much as he can without any digital innovation and therefore sooner or later drives the business cart into the final modernization jam. The “airhead” ignores every danger, assumes that nothing will happen to him, and at some point finds himself completely unprepared for the ultimate mess. Only the “risk manager” checks his risks, quantifies the dangers and protects himself accordingly.
Sure, most top managers will put their companies in the third category. But are you sure that’s true?
The fact that cyber events are now among the top triggers for D&O claims, according to Irish insurer Aon, shows that not all boards and CEOs are adequately fulfilling their fiduciary duty to protect corporate assets. Because if something goes wrong, they are liable.
The risks are far greater than many think. Already, 85 percent of a company’s assets are in digital form. And 99 percent of everything that is added is stored digitally. Even the cloud technologies that companies believe secure most of their data do not protect against cyber insecurities: 63 percent of reported cyber breaches are related to suppliers and operators of cloud solutions.
That’s why I react with a little indignation when I meet a top manager and board member who enthusiastically tells me about his “brilliant” CIO: He knows everything there is to know and understands every detail when the Chief Information Security Officer (CISO) presents a list of around 300 vulnerabilities at the board meeting. It was always about incomprehensible stuff like “man-in-the-middle attacks” and “SQL injections. You’d be lucky to have such a professional on your team!
I refrain from responding diplomatically to such enthusiasm. My response is always, “You have no idea what your cyber risks mean in terms of business risk. That’s a colossal mistake!”
And then, if requested, I am happy to explain my harsh judgment: the CISO usually has a technical background. He looks for and finds vulnerabilities and provides technical answers to them. As a rule, the CISO has no idea how momentous a single vulnerability can be for the company’s assets. He looks at the risk relative to his limited budget and then patches what and how the budget allows. And vice versa: his budget is adjusted to the cost of the “patching” but not balanced with the associated financial risk.
Or worse, a surprising number of organizations calculate their cyber budget simply as a percentage of their IT spend, typically five to seven percent. In other words, the budget bears no relation to the real need for resilience. And so most organizations are woefully underfunded in terms of their real cyber needs.
True “risk managers,” on the other hand, set measurable cyber resilience goals, assess cyber risk with a quantifiable metric, and effectively budget cyber strategy from the company’s overall perspective. For the remaining residual risk, they use appropriate cyber insurance.
Last but not least, they also professionalize the internal organizational structure. For example, the CISO is not assigned to the CIO under any circumstances. Since cyber risk extends far beyond the classic IT horizon, it is essential to assign the topic to a function with significantly more foresight. It makes sense to place the CISO organizationally under a “risk officer” or even the CFO. I hope you are faster than your attackers!
Anastassia Lauterbach is Managing Director of ExCo Group, Professor of AI and Cybersecurity at MCI in Innsbruck, RiskQ Advisory Board Member, and an international supervisory board member