- New cyberrisk management information systems provide executives with the risk transparency they need to transform organizational cyberresilience
- “We need to bring rigor to the risks related to data and protect our top assets effectively.”
- Analytics is the backbone of the cyberrisk MIS; having a strong, smart analytical system in place enables users to integrate data from different sources across a network and aggregate risks as needed
- A dedicated cyberrisk MIS is not a substitute for GRC systems but rather a reporting solution addressing cyberrisk. It must be compatible with legacy systems and serve decision makers rather than specialists
Executives in all sectors have deepened their understanding of the dangers cyberrisk poses to their business. As hacks, cyberattacks, and data leaks proliferate in industry after industry, a holistic, enterprise-wide approach to cybersecurity has become a priority on board agendas. Companies are strengthening protections around their business models, core processes, and sensitive data. Regulators are applying their own pressures, and privacy demands are sharpening.
We asked executives at financial institutions in Europe and North America about their actual experiences with cyberrisk management and reporting. What they told us was instructive. They said cyberrisk management can be effective only when the information it is based on is accurate. Yet cyberrisk reporting at many companies is inadequate, failing to provide executives with the facts they need to make informed decisions about countermeasures. Because of the information gaps, managers often apply a standard set of controls to all company assets. As a result, low-priority assets can be overprotected, while critical assets remain dangerously exposed.
Risk managers are flying blind
Many companies rely on a patchwork of reports from different sources to manage cyberrisk. Executives at these companies are unable to assess the return from their cybersecurity investments. They lack needed information about cyberrisk levels, the effectiveness of countermeasures, and the status of protection for key assets. Available data are incomplete, inconsistent, and not reliable as a basis for decision making. Executives also question the complexity of their cyberrisk-management tools, finding them overly complicated and their results incomprehensible.
Risk decision makers reserve particular criticism for governance-risk-compliance (GRC) systems. These complex software solutions can take years to implement and rarely produce a satisfying result. Like many risk-management systems, GRC software was created by technicians, and specialized expertise is required to make sense of the output. In one survey, more than half of executive respondents said cybersecurity reporting was too technical for their purposes. In fact, GRC does not even focus on cyberrisk but rather covers a wide range of risk types, including financial, legal, natural, and regulatory risks. It therefore cannot create the overview of cybersecurity that board members and regulators need. In effect, many cyberrisk managers are flying blind.
At a leading European financial institution, executives were dissatisfied with the existing cyberrisk-reporting regime. In attempting to improve it, they first assessed their experience:
- Cyberrisk reports were compiled by IT specialists for other IT specialists. As a result, the reports were very technical in nature and provided little to no guidance for executive decision making. Executives found that the reports did not help them interpret how cyberrisk is related to other risks the institution faces, such as legal or financial risks.
- At the same time, the reporting had many gaps: almost no information was provided on top risks, key assets, recent incidents, counter-risk measures, implementation accountability, the institution’s resilience in the face of cyberthreats, or the return on investments in cybersecurity.
- The reporting was structured by systems, servers, and applications rather than by business units, business processes, functions, countries, or legal entities. Most reports were compiled as stand-alone documents, with no integrated view of cyberrisk across the group.
The objectives of effective cyberrisk reporting
State-of-the-art cyberrisk management requires an information system that consolidates all relevant information in one place. The most important risk metrics—key risk indicators (KRIs)—present a consistent evaluation across assets to enable the tailored application of cyberrisk controls. A given asset can be protected with the controls appropriate to its importance and the threat levels to which it is exposed.
To ready their companies for the challenges of the evolving cyberrisk-threat landscape, executives need to upgrade their approach to cyberrisk reporting and management. To address the magnitude and the complexity of the threat, companies should build a high-performing cyberrisk management information system (MIS) with three fundamental objectives.
- Transparency on cyberrisk. Make the cyberrisk status of the institution’s most valuable assets fully transparent, with data on the most dangerous threats and most important defenses assembled in a way that’s accessible and comprehensible for nonspecialists.
- Risk-based enterprise overview. Provide decision makers with a risk-based overview of the institution so they can focus their cybersecurity investments on protecting the most valuable assets from the most dangerous threats.
- Return on cyber investments. Ensure the efficiency of counterrisk measures by requiring a high return on investment.
A dedicated cyberrisk MIS is not a substitute for GRC systems but rather a reporting solution addressing cyberrisk. It must be compatible with legacy systems and serve decision makers rather than specialists. It is designed to provide the information that executives need to prioritize threats and devise effective controls; it enables informed board discussions on cyberrisk strategy and helps optimize the allocation of funds.
A strong analytical backbone
Analytics is the backbone of the cyberrisk MIS; having a strong, smart analytical system in place enables users to integrate data from different sources across a network and aggregate risks as needed. Ideally, the cyberrisk MIS should have a pyramid structure, with risk data organized hierarchically. The starting point is a simple overview, with the most important data at the highest level of aggregation. These data would describe, for example, the top global risks, differentiated by potential loss and probability. More detailed information can be added as needed, including KRIs and countermeasures for individual divisions, countries, assets, processes, and even buildings. The contact details of the people responsible for implementing the specific countermeasures can also be included.
Catalyzing a cybersecurity transformation
The cyberrisk MIS can catalyze a comprehensive cybersecurity transformation. This happens in the MIS implementation, which in itself is an opportunity to transform the ways companies gather information about cyberrisk and make decisions about countermeasures.
The description of a successful cyberrisk MIS implementation is remarkably congruent with that of a cybersecurity transformation. The steps are as follows:
- Define the scope and objectives. Leaders work up front to define objectives and deliverables. They begin by taking stock of how cyberrisk information is gathered and how executives decide on countermeasures. Cybersecurity governance and organization should be established across the whole company, with common standards and best-in-class reporting for systematic risk identification and prioritization.
- Avoid patchwork solutions. The cyberrisk MIS must not be regarded as another patch. It should be comprehensive and more accessible than the previous assemblage of stand-alone reports. A good cyberrisk MIS can accommodate different degrees of maturity in different business units. For example, a module can be included that enables managers to upload static reports until dynamic data become available for automatic updates. Generally, the MIS should supply decision makers with the most pertinent information available at any given time.
- Enhance consistency. With improved transparency comes improved consistency. As the transformation proceeds, executives should calibrate their understanding of cyberrisk and cybersecurity. They should ask, “As an institution, how much risk are we willing to accept? What are our biggest threats? What level of protection renders a given asset safe?” Even a seemingly trivial risk topic can initiate fruitful discussions. For example, in defining cyberrisk-warning thresholds, executives can arrive at a common understanding of risk appetite, asset relevance, regulatory requirements, and the return on investments in cybersecurity.
- Shift to a risk-based approach. One of the most powerful benefits of a good cyberrisk MIS is the risk-based approach to controls, which replaces the undifferentiated “all controls for all assets” approach. The risk-based approach focuses on the most important assets and the biggest, most probable threats. Decision makers can then allocate investments accordingly. Resilience is thereby improved without an increased cybersecurity budget. In many cases, a state-of-the-art cyberrisk MIS allows reductions in operating expenditure as well.
The implementation journey begins with a project team, experts, risk managers, data owners, IT, and other stakeholders jointly determining specific requirements, relevant processes, and data availability. In the building stage, live trial sessions are held to give executives a chance to provide feedback on MIS utility. After needed adjustments, the scope is widened and the system is deployed to the entire organization.
“Step by step, we made the cyberrisk MIS our own. The whole process took less than half a year, and yet the finished product really feels like something that was made for us, not like an off-the-shelf solution.”
Article originally published by McKinsey & Co.
Cubility are the trusted advisor to some of Australia’s largest oil and gas, mining, utilities and public companies. We help ensure your company is operational ready and business effective through modern technology strategies, program management and IT support.