Managing Cyber-Risk Is No Different Than Managing Any Business Risk

COMMENTARY

Business risks encompass many overlapping categories, from operational and strategic risks to financial, legal, and compliance risks. Yet every category is affected by cyber-risks in some way. Operational problems such as equipment failures and supply chain disruptions should include the risks of a cyberattack disrupting IT networks. Similarly, the CFO's office manages credit risks, investment losses, and cash-flow issues. But the finance team should also recognize the ongoing threats of financial losses from ransomware attacks, or the reputational harm when private customer data gets leaked on the Internet.

Market research has repeatedly shown cybersecurity to be a key indicator of financial performance. In fact, companies with advanced cybersecurity performance create a 372% higher shareholder return compared with their peers that have basic cybersecurity performance. That's according to a recent report from Bitsight and Diligent that analyzed more than 4,000 mid- to large-cap companies in public indexes globally.

Nearly all chief information security officers (CISOs) and security leaders are adopting artificial intelligence as part of their strategy to defend against advanced cyberattacks. More than three-fourths of CISOs (78%) are already using AI to help their security teams, while 20% are waiting for more powerful models and better AI security tools before adopting, according to Bugcrowd's "Inside the Mind of a CISO 2024" report.

The global survey found that 91% of CISOs believe AI already outperforms security professionals, or will in the future, while 76% believe the AI threat landscape is evolving too quickly to adequately secure. However, the CISOs expressed mixed feelings about the risks of AI. More than half said the risks of AI are greater than the benefits (58%), while 42% indicated that there still is not yet a consensus on this issue.

Of course, cyber-risk is more than a technology problem to be solved solely through technical protections. The solution also requires people and policies to anticipate and prevent unforeseen events through advance preparations. Cyber-risks can have damaging impacts on important business decisions for mergers and acquisitions, supply chain partnerships, and third-party vendor transactions. That's why it's so important for leaders to raise awareness about cyber-risk management among their colleagues in less technical roles such as finance, sales, marketing, and human resources.

Cyber Secure Practices Deliver Better Business Performance

It's time for businesses to elevate cyber-risk management to an essential protocol that's managed as part of their overall risk management framework — all of which requires translating complex technical threats into clear financial contingency plans that will motivate the C-suite and board members to invest in security.

The impulse to improve cyber-awareness training and increase security is most prevalent among highly regulated industries such as healthcare and financial services. For these industries, noncompliance can lead to heavy fines, penalties, lawsuits, and damage brand reputation.

Faced with strict rules, these industries typically adopt cyber programs and best practices more quickly than other sectors, because they are familiar with, and better at, managing their risk. Their internal culture demands that they ensure compliance with specific regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) data privacy rules for healthcare providers. For such firms, accounting for cyber-risk is just one more compliance requirement to check off the list.

Similarly, companies that hold regular audit committee meetings have a culture that is more conducive to managing cyber-risks as a compliance issue. They use their regular reporting cadence and infrastructure to incorporate cyber into the larger discussion of regulatory compliance and business risk topics. Regulated industries have the highest cybersecurity ratings, and companies with either a specialized risk committee or audit committee achieve better cybersecurity performance compared with those with neither, according to the Bitsight report.

It Pays to Support Smart Cyber-Risk Management

Cyber incidents can have lasting impacts on business operations, workforce productivity, customer satisfaction, and brand reputation. For all these reasons, security should be the responsibility of the entire organization, not just the CISO or security operations center (SOC) team. Everyone must share a commitment to protect the organization's information and IT infrastructure, because that is what their customers and partners expect.

To do so, business leaders need to recognize and manage these cyber-risks just as they would manage any other business risk. Direct costs from cyberattacks can include data recovery and remediation to recover lost data and repair compromised systems. Making the decision to invest in preventative measures has proven to be much more cost-effective than addressing the fallout from a successful cyberattack after it happens.

As business leaders, we're asked to prioritize resources on a daily basis — for budgets, people, and facilities — based on the returns they provide to our business. Investing in cyber programs and best practices should be seen as a business enabler and force multiplier. After all, these investments can help drive revenue growth in the company by building and maintaining customer trust, in addition to protecting the business. In today's risk environment, the CISO should be elevated to be the peer to the rest of the C-suite and a direct report of the CEO — indicative of the strategic business importance of the role.

A sound cyber-risk management strategy is based on carefully analyzing all the business impacts that may stem from a potential attack and estimating the related costs of mitigation versus the costs of not taking action. In the end, as with all risk management, this process comes down to a basic dollars-and-cents financial decision.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!