Managing your enterprise's cyber risk is a surmountable task. I say this because many boards and executives have expressed to me that they don’t know where to start with cyber security. Understandably…it’s a faceless, shapeless monster that’s hard to understand and has serious financial repercussions; even saying the phrase seems to give it a creeping power. I’ve met the monster face to face at varying levels of experience, from the board room, to the CEO chair, all the way to the high-risk military-grade cyber defense of a nation. Instead of a monster, the enemy is more a thief, with the logic and reason of a human.
We all practice risk management every day, not just at work, but at home and in our general activities:
Should I eat this food or will it make me sick?
Should I bring an umbrella or chance the rain?
Which car will meet my safety needs at a price I can afford?
Should I walk alone in this dark alley or will I be at risk?
We are very practiced at scenarios like this, and though it might take longer to ponder some questions than to ponder others, the depth of our experience once equaled zero. Some of these risks still exist even if pondered carefully; it’s the cost of living.
Cyber risk is one of the costs of doing business, just like many other things enterprise-level officers learn from the ground up. Payroll, taxes, recruiting, managing employees: these all take practice, time, and the right tools to learn. And while CEOs once had a depth of knowledge about payroll and taxes and management that equaled zero, their goal is eventually to have either mastered it, or to know enough to assign people to manage it while they supervise top-line data. With the right tools, cyber risk is just another manageable task.
Tolerance: Should This Risk Be Addressed?
This is the first question a company's board will ask. Should a company intervene ahead of time, before something goes wrong? The tools we use qualify this question with what we call risk tolerance. Risk tolerance sounds technical but it’s a simple concept best explained like this:
BreachBits Risk Management Chart
It's difficult without tools to know where cyber threats are and their impact on your business, but if risks are denoted with the color green, it’s clear that this particular issue is just the cost of doing business, and should be the lowest priority. Conversely, if a risk that your company cannot tolerate is red, you’d have an easier time choosing which issues to address.
Execution: What Will It Cost to Address This Issue?
Once you have this question answered, the next question is obviously, “How much time and money do I need to invest to fix this?” After you’ve picked out your highest priority issue(s), it’s time to move into triage mode, and anybody can join the conversation now. Colors and shapes are universal and quickly interpreted. The best tools aren’t overly technical, and there are going to be a lot of people that need to be in on the conversation, all at varying levels of technical expertise. The best way to figure out what the cost will be and how much time fixing the problem will take, is to get the whole team together with a cyber security professional and discuss defense tactics.
I’d like to reiterate this with a parting note: cyber attackers are humans, just a man behind a curtain making noise to scare other humans. They can be reasoned with, they can be talked to, their efforts can be moderated with the right tools and a proactive enterprise risk management plan. The best way to face a shapeless menace is to turn and look the thief in the eyes.