Now more than ever, CISOs deliver hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned IT professionals, the challenge lies in providing these metrics meaningfully to the executive team and making them actionable in CISO board reports. The first step in this process is contextualizing the risk data generated by understanding where it fits the general enterprise risk profile. This contextualization begins with a cyber risk appetite statement.
Risk appetite statements are nothing new - as more enterprises have recognized the diversifying forms of risk their organization faces (financial, operational, etc.), they have realized the importance of a risk appetite statement. A documented method for the whole organization to understand how to make decisions about new risks using risk assessment reports. According to Gartner, the definition of risk appetite describes this as a tool that is a starting point for daily discussions around risks that organizations face. It enables leaders to initiate business actions while considering projected risks. Risk appetite statements are commonly used in financial institutions but are also starting to be seen in other industries.
We can define risk appetite statements as the potential amount of risk an organization is willing to accept to achieve business success. Risk appetite and tolerance go hand-in-hand and provide nuance to the different types of risks.
While business leaders are well adjusted to managing risk events in the physical world, cyber risk quantification is a whole new world. While we are still starting to see more data supporting cyber risk, that cannot keep organizations from adding those digital risks into the mix. However, the lack of historical data on cyber risk and risk descriptions combined with a more significant lack of understanding of cybersecurity, in general, has left many organizations’ project management approaches to cyber risk siloed within IT.
Organizations are challenged now to embrace cyber risk quantification and embed it into their risk registers or face the same negative impact as Equifax or Wells Fargo.
From a management standpoint, directly reporting cybersecurity metrics without context further distances information security from the organization's business side. The metrics that technical leaders use to measure an organization's health do not transfer to business-side conversations. Gartner states that of the Board members surveyed, 80% value "risk posture" as the most critical metric for reporting. Less than 20% of CISOs thought the same.
Technical leaders are often tempted to get lost in the weeds, to spend time on details, and to deliver information that does not fit into the context of what C-suite executives and the Board are looking for. For business-side leaders and CISOs, integrating cyber risk into an enterprise risk appetite statement creates a single source of truth for both parties to know what the other expects of them.
<The Bank> faces a broad range of risks in its responsibilities as a central bank. Acceptance of some level of risk is often necessary to foster innovation and efficiencies within business practices. The risks arising from our policy responsibilities can be significant. These are managed through processes emphasizing the importance of integrity, maintaining quality staff, and public accountability.
<The Bank> is also exposed to some significant financial risks, mainly due to its holding foreign exchange reserves. Regarding operational risks, we have a low appetite for risk and make resources available to control operational risks to acceptable levels. <The Bank> recognizes that eliminating some of the risks inherent in its activities is not possible or necessarily desirable.
This model risk statement gives insight into the enterprise organization’s risk approach. Specifically, the statement highlights critical and reasonable risks that are necessary to accept to participate in the industry. As we all know, there are specific risks to specific sectors. Although the cyber risk is the glue that ties many organizations together - all organizations are hitting the point of accepting more digital risks. For CISOs, this statement helps them and their teams understand where resources must go based on the organization's priorities and specific project objectives.
The organization has a risk tolerance, allowing it to achieve its business objectives in a manner that is compliant with the laws and regulations in the jurisdiction in which it operates.
The organization has a low-risk appetite for losing its business and customer data when a cyber event occurs. The organization has a medium risk appetite for physical information security assets and will track assets greater than US$2,000. Information assets will be protected per the organization's data classification framework. The organization has a high-risk appetite for access controls. All-access to the organization's mission-critical systems will be controlled via biometric authentication.
This sample statement further emphasizes the importance of certain risks over others. It grants insight for the whole organization into what the teams shouldering this accepted risk need to incorporate into their goals and objectives for the enterprise. Statements like these contextualize specific events or conditions within the risk landscape for any given team—in our case, cybersecurity risk management teams.
Learn more about how to leverage cybersecurity risk analysis data here.
Using the previous examples as a template, we can look at the following as a template for a cyber risk appetite example:
The organization has a risk tolerance, allowing it to achieve its business goals and objectives in a manner that is compliant with the laws and regulations in the jurisdiction in which it operates. The organization has a [low/medium/high] appetite for losing or breaching its business and customer data in pursuit of its goals. The organization has a [low/medium/high] risk appetite for physical information security assets and will track assets greater than [dollar amount]. Information assets will be protected per the organization’s data classification framework [use examples if you wish]. The organization has a [low/medium/high] risk appetite for access controls. All access to the organization’s mission-critical systems will be controlled via [2FA/MFA/biometric].
As we've seen, turning a blind eye to cyber risk is no longer an option. Whether the organization already has a risk appetite statement or is still undefined, CISOs need to be actively involved in developing and iterating on that statement - sharing their knowledge of cyber and the identified risks associated with enhancing and contextualizing these risks for the rest of the organization.
Conduct a Free Cyber Risk Analysis with CyberStrong. Instantly unlock your top 5 risks and associated NIST 800-53 controls.
If you have any questions about writing a risk statement or how integrated cyber risk management can help enable your organization's cybersecurity plan and continuously prepare it for uncertain events, schedule a conversation with the CyberSaint team to learn more.