When we talk about cyber risk governance, it's easy to get lost in the technical jargon. Risk appetites, tolerance thresholds, Monte Carlo simulations – it all sounds a bit like a math problem you thought you’d never need to solve after high school. But here’s the thing: putting a cyber risk governance framework into place is not just about getting it on paper; it’s about making it work for your organization.
My recent ISACA Journal article, From Measurement to Management: Integrating Cyber Risk Quantification into Risk Governance, dives deep into the technical aspects of building a cyber risk governance framework using Cyber Risk Quantification (CRQ). In this blog post, I’ll walk you through how you can take the concepts from the article and apply them directly to your organization’s cyber risk governance.
Step 1: Know Your Risk Appetite
One of the biggest takeaways from my article is the importance of setting your organization’s risk appetite. For as quantitative as the rest of the process is, this part measures the emotional response to cyber losses. So, how do you figure this out? It starts with asking tough questions: How much money could you afford to lose without it hurting your bottom line? What cyber incidents could potentially cripple your business? But don’t leave the answers open-ended: provide a couple of thresholds as examples and gauge reactions.
Setting your risk appetite is about more than just throwing a number out there. It’s about understanding the types of risks you face and translating them into specific, measurable risk tolerance statements. For example, “We’re willing to absorb up to $1 million in cyber losses annually but no more.” Once you have that in place, you’ll find decision-making becomes much more straightforward.
Step 2: Use CRQ to Guide Your Spending
Once you've nailed down your risk appetite, it’s time to align your cybersecurity budget with it. And here’s where CRQ comes into play. You’ve got a number – say $5 million in risk appetite. Now, the question is: How much are you spending on cybersecurity to manage that risk, and is it enough?
If your current cybersecurity budget isn't sufficient to handle your stated risk appetite, you may need to adjust it. One of the best ways to determine if your budget aligns with your risk appetite is by using loss exceedance curves (LECs). These handy charts allow you to visualize the forecasted likelihood and impact of potential cyber events. They help you decide where to invest more in cybersecurity and perhaps where even to cut back.
Let’s say your LEC shows you have a $3 million shortfall in your ability to handle potential losses. You now know that your cybersecurity budget should be increased to cover that gap, whether through additional staffing, better tools or improving operational processes.
Step 3: Smart Cyber Insurance Coverage
One thing that a lot of organizations miss in their cyber risk governance framework is the effective use of cyber insurance. Here's the trick: cyber insurance shouldn’t be used to cover routine losses. Doing so will only lead to increased premiums. Instead, it should be your safety net for the larger, more catastrophic incidents – the kinds that keep executives awake at night.
Look back at your LEC. Where do you see large, high-impact events that could bankrupt your business if they were to occur? Those are the events you want to insure against. A good rule of thumb is to start thinking about insurance coverage for losses that are beyond your risk appetite – say, incidents that could cost you between 10 and 100 basis points of revenue.
For example, if your risk appetite is $5 million, you could consider insurance that covers losses starting at that amount and extending to $50 million or more. If a major event hits, you want to fill that gap with insurance so you're not left scrambling.
Step 4: Plan for the Unplannable
No matter how well you’ve planned, there will always be cyber risks that exceed both your budget and insurance coverage. That's why capital allocation is essential. Think of it like your financial buffer. What happens if your insurance only covers losses up to $50 million, but a particularly bad cyber event costs you $80 million?
The key is setting aside capital to cover the residual risk. This process is especially crucial for industries with formal capital allocation requirements, like financial services. Even if your industry doesn’t have such requirements, it’s still a good idea to ask yourself: If we suffered a loss of $80 million, how would we recover? Would it come out of the current year’s revenue? Or should we have a reserve fund set aside specifically for this purpose?
Conclusion: Governance as a Living Process
The most important takeaway here is that cyber risk governance is not a one-and-done deal. It’s a living process. Your risk appetite needs to be revisited regularly, your cybersecurity budget needs constant adjustment based on evolving threats and your capital allocation needs to be reassessed as your organization grows.
As you build and refine your cyber risk governance framework, remember that it’s all about creating a feedback loop. If your current strategies aren’t working, go back to the drawing board. Adjust your risk appetite, rethink your spending and make sure your insurance and capital reserves are adequate.
By keeping your eye on the practical side of risk governance, you can ensure that your organization stays resilient – no matter what cyber threats come your way.
About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, is the Chief Risk Officer for Kovrr, coauthor of the award-winning book on cyber risk, Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, IAPP Fellow of Information Privacy, ISC2 Global Achievement Awardee, and ISACA’s John W. Lainhart IV Common Body of Knowledge Award recipient.