Boards of Directors and investors do not need to be technical experts to oversee or discover cybersecurity risk in organizations. They do, however, need to ask probing questions to ascertain the maturity level of, and fundamental challenges within, the way organizations understand and manage cybersecurity risk.
In our interactions with Executive Board of Directors, Venture Capital Investors, and M&A due diligence analysts, a common question routinely surfaces when executives seek to understand a company’s cybersecurity risk: What do I need to ask to gain a true sense of how a particular organization understands and manages cybersecurity risk?
Our answer to this question is relatively straightforward and not always obvious: Probe into the organizational understanding and operational structure around addressing cybersecurity risk, and seek evidence of measurable facts in support of that thinking and structure. This may sound fundamental and non-technical. That’s because it is fundamental and non-technical.
The impact of a cyber incident can vary by organization, and that impact variation directly correlates to the relative cybersecurity risk*. Operational impacts, reputational impacts, legal impacts, and other business impacts are typically different between organizations, as they are highly dependent on the type of business, data/systems affected, and severity of a cybersecurity “incident”.
To address this risk, many organizations speak about controls, technical fixes, expertise, and cybersecurity tools. While tremendously important, many of these are tactical solutions – they solve for particular risk management problems like blocking, monitoring, detection, remediation. These solutions, however, do not solve the oversight problem that concerns directors or potential investors.
The problem for directors and investors is to broadly determine the overall organizational cybersecurity maturity, relative to the risk. This means determining “What is that level of maturity, and has the enterprise identified their risk of a cyber incident?” The board (especially) and investors (more generally) have an oversight problem to solve when it comes to cybersecurity, not a management problem to solve.
With the management issues set aside for the moment, we can address the oversight challenge facing executives: What questions do I need to ask to gain a sense for the real cybersecurity risk within an organization? Or, more simply, “Where do I start?”.
One way to address this inquiry for proper oversight is to examine the organizational understanding and fundamental management structure in cybersecurity. In an effort to quickly examine these areas, or to get the discussions going**, here are five questions one may ask as part of oversight or any investment due diligence.
1. What is your cybersecurity risk?
This question probes for a direct answer to an intentionally broad and open-ended question. As a board member or potential investor, you don’t need to know, or even judge, the merit of an immediate answer. But you do need to judge the organization’s ability to provide a sufficient and thoughtful answer, as it will provide an immediate view into how the organization thinks about cybersecurity risk. A sufficient answer should provide insights into the depth of thinking behind the organizational understanding of the risk they face, for example:
- Is there an understanding of both the probability and potential impact of a cybersecurity incident (e.g., fines related to the loss of specific types of data, potential cost of a particular type of cybercrime, potential revenue loss related to a reputational impact)?
- How likely is a breach to occur (e.g., what threats are most concerning or most likely to be successful, what vulnerabilities related to these threats are known and not properly addressed)?
- What happens to the organization when specific risks are realized (e.g., what are the legal duties, who leads the response, what are the recovery plans)?
2. How are you managing cybersecurity risk?
This question takes a deeper look into cybersecurity risk, as it relates to the overall risk management process – probing into the structural alignment supporting cyber risk mitigation. Knowing what an enterprise cybersecurity risk management program should look like (e.g., frameworks, risk-mitigating controls, roles and responsibilities, training) is not as important from an oversight perspective as obtaining evidence that a program is in place. The exact framework***, approach, or structure taken by an organization is less important at this stage as the simple fact that a thoughtful risk management approach exists. For example, signs of a thoughtful program may be:
- A clear and structured way to address cyber risk management that aids in the understanding of, and decision-making around, the actual overall cybersecurity risk
- Evidence of cybersecurity risk management nested within a larger enterprise risk management framework (e.g., cybersecurity incident response plans referenced in global business continuity planning)
- The use of an applicable cybersecurity risk management framework to help communicate cybersecurity risk management to others (e.g., NIST Cybersecurity Framework, Open Web Application Security Project (OWASP), Factor Analysis of Information Risk (FAIR) framework, ISO/IEC 2700x, the NIST 800 Series, MITRE ATT&CK™, Auditscips Critical Security Controls)
3. How are you measuring cybersecurity risk reduction?
Brace yourself. This question pokes right into the widely contested and heavily debated subject of measuring cybersecurity risk; so tread lightly, but look for areas ripe for oversight and guidance – where answers to this question fall short of sufficient.
The concept and relative meaningfulness of “cyber risk metrics” introduces its own deep investigation into sufficient measures. However, from an oversight or potential investment perspective, what is being measured is not as important as the meaningfulness (to you, the examiner of broad risk indicators) of the organizational action that may be taken from the measurement’s result. Overall, you are looking for the organizational ability to identify, address, and adapt to the appropriate level of risk governance – that is, the organizational cyber risk policy and overall risk appetite****.
What an organization measures in cybersecurity indicates the level at which they view the security problem; one cannot manage what one cannot measure. Since feedback is critical to managing, the type of feedback management is receiving is telling of how deep the problem is understood. (Conversely, a lack of measures is also telling, except for organizations with near-zero information security risk). As this topic leads to a much wider discussion on the use and value of KRI’s, KPI’s, and metrics, consider listening for organizational evidence in two areas:
- Does the organization quantify/qualify uncertainty in a way that provides decision-makers the appropriate level of risk-mitigation? If so, is the uncertainty measured and managed in some way?
- Do organizational leaders believe that meaningful measures mature over time, as the organization better understands and equips itself to address cybersecurity (i.e., no measurement is perfect at its onset)?
4. Who owns cybersecurity risk within the organization?
This is the cybersecurity roles-and-responsibilities question. Here, you are asking a very specific question: When it comes to cybersecurity, who has the lead?
You are investigating clear organizational alignment to the cybersecurity risk problem and discovering how cybersecurity risk responsibilities have been structured within the organization to manage risk-reduction – that is, how cyber risk management may roll up from IT controls to you, the overseer/investor. But first, one word of caution: “everyone [owns cyber risk]” is not an answer. From an oversight perspective, “everyone” is the equivalent of “no one” – a clear role must be provided. Answers to this question should provide clarity on who owns what, for example:
- Is there a clear information security risk owner in the organization (e.g., CISO, CRO, Information Security Manager)?
- Where are the organizational incentives to maintain risk-mitigation solutions in place? In other words, does the owner have a strategic direction for operational control over “critical” assets like data or systems considered critical to keep safe/undisturbed to avoid costly organizational impact?
- Are crisis-driven roles assigned or do pre-assigned roles and responsibilities exist? (The answer to this leads right to the fifth and final question.)
5. How are you prepared to respond to a cybersecurity incident?
Arguably, this question represents the main takeaway, and the previous four questions have led here. At this point, you are clearly asking: When an incident happens, is the organization ready to respond?
An organization’s ability to respond to an incident may be the predominant issue a board, a director, or an investor needs to know. How an organization responds to a cybersecurity incident (or issue) can increase or decrease the severity of that incident (or issue), and thus the immediate impact to the organization. Having a plan is not as important as testing the plan; therefore, there are a number of areas in organizational response readiness on which to probe. For example:
- Are pre-assigned roles and responsibilities established by title for incident response (i.e., do the people that need to act know who they are and what to do)?
- Is there strategic alignment in management and communications in the event of any cybersecurity incident?
- Does an identification (ideally classification) of critical assets exist within the organization? If not, how does the organization clarify the impact and know whom to contact during an incident (e.g., legal authorities, executives, partners, third-parties, customers)?
- Is there one point-of-contact for command and control over the response effort?
For any board member, director, or capital investor, asking the above five, non-technical questions should – if nothing else – provide a reasonable place to start for gaining a sense of the organizational thinking around cybersecurity risk. (Ideally, measurable facts in support of this risk management are provided for gaining a quantifiable sense.)
For the cyber-mature organization, these types of questions may seem overly simple for addressing complexities within the cybersecurity risk problem. The answers, however, still provide a structured starting point (or baseline) from which overseers and managers together hold deeper, more insightful discussions around the particular organizational cybersecurity risk processes management has employed within the enterprise.
For the cyber-maturing organizations, these types of questions may appear relatively straightforward but also frustrating, should sufficient answers not be readily or practically available. As with any structured inquiry, areas where answers may not be obvious or available may become categories for further inquiry and follow-up.
For all organizations, providing a simple way to understand how the organization is thinking about the impact of cybersecurity risk is a meaningful problem to solve for any board of directors or potential investor.
* Calculating cybersecurity risk is a topic for a broader discussion. A simple primer on the relationship between threats, vulnerabilities, impact, and likelihood is published in the NISTIR 7621 (Revision 1) Small Business Information Security: The Fundamentals.
** This is a starting point. Mature organizations will have detailed and well-defined answers to these simple questions. When that is the case, things are off to a good start, and you have enough to frame a point of view on the overall organizational cybersecurity.
*** Any one/single framework does not match any one/single organization. From an oversight point of view, which framework chosen by an organization is less important than the fact that a framework was chosen.
**** Risk appetite may be thought of as the level of known risk organizational directors are collectively willing to accept.