Cheat Sheet: What Every Executive REALLY Needs to Know About “Cyber” (Part I of III)
Unless you’ve been living under a rock, you’re probably well aware that cybersecurity is a hot topic and major priority for executives. There are lots of resources out there that claim to provide boards and executives all they need to know on cyber risk and security risk management, but there is still some confusion around exactly how much an executive needs to know about this all-encompassing term called “cyber.”
Turns out, you don’t need to be a technology expert to be a savvy executive who manages cyber risk. In this three-part series, we’ll break down the things you need to know at each stage of the risk management process: 1) defining your cyber risk, 2) understanding your cyber risk thresholds, and 3) actively managing cyber risk. Today, we’ll begin by going through the basics of how to define cyber risk in your organization:
Cyber Risk = Threats x Vulnerabilities x Impacts
Cyber risk, like any risk, is actually measurable as a function of the threats to your organization, the vulnerabilities that inherently exist within your organization, and the impacts felt by your organization when something actually. So here’s what you need to know:
Threats: The Externalities
These are most typically externalities outside your control. It answers the question who is after your data and why are they after it?
- Cyber Criminals: Individuals or groups that conduct cyber crime, such as theft, destruction, or illegal dissemination.
- Hacktivists: Individuals or groups motivated by ideological reasons, such as political, religious, or societal issues.
- Insider Threats: Member(s) of your organization who leak or otherwise distribute sensitive information.
- Nation States: State-sponsored actors seeking to empower their nation or undermine other nations.
- Script Kiddies: In general, Script Kiddies are programmers, who hack for fun or skill refinement.
Vulnerabilities: The Internalities
These are the holes in your internal organization; the things you can control. Vulnerabilities create potentially harmful exposures for your company and can be physical, like a stranger gaining access to your workspaces or virtual, such as a poorly configured network.
Impacts: The Ultimate Effect
Once you have a sense of the cyber threats out there as well as the most important data in your organization and what vulnerabilities exist in the systems in which it is housed or transmitted, the next step is to put it all together. Because cyber risk is an enterprise-wide risk, cyber incidents can produce a range of serious consequences that affect your entire organization. Potential impacts include financial cost, operational damage, compliance implications, strategic setbacks, and even physical damages.
Create your scenarios: it’s the cyber equivalent of planning how much a drought could negatively impact a farmer’s crops. Even if your company has a high probability of being targeted by a cyber criminal group and is running software full of bugs and holes, if the impact of something happening to that system is minimal, then you’ll likely need to spend less time and money on protecting that system. Of course, please first make sure your terrible software isn’t connected to other critical systems that would allow an attacker to get in through an easy route and traverse to your crown jewels!
Don’t forget to join us next time for Part 2 of our series: understanding your organizational tolerance for cyber risk and setting appropriate thresholds.
Want to know even more about how cyber impacts your organization?
Do you need a more in depth understanding of the type of cyber risks that can most impact your organization? Let N2K help. Learn more about Cyber Resolve, N2K’s training programs are geared at providing cyber risk education specifically to board and executive leaders. We even work with CISOs to tailor and align the training to an organization’s specific cybersecurity strategy.