Cheat Sheet:  What Every Executive REALLY Needs to Know About “Cyber” (Part I of III)

Cheat Sheet:  What Every Executive REALLY Needs to Know About “Cyber” (Part I of III) 864 486 N2K

Cheat Sheet: What Every Executive REALLY Needs to Know About “Cyber” (Part I of III)

Unless you’ve been living under a rock, you’re probably well aware that cybersecurity is a hot topic and major priority for executives. There are lots of resources out there that claim to provide boards and executives all they need to know on cyber risk and security risk management, but there is still some confusion around exactly how much an executive needs to know about this all-encompassing term called “cyber.”  

Turns out, you don’t need to be a technology expert to be a savvy executive who manages cyber risk. In this three-part series, we’ll break down the things you need to know at each stage of the risk management process: 1) defining your cyber risk, 2) understanding your cyber risk thresholds, and 3) actively managing cyber risk. Today, we’ll begin by going through the basics of how to define cyber risk in your organization:

Cyber Risk = Threats x Vulnerabilities x Impacts 

Cyber Risk.pngCyber risk, like any risk, is actually measurable as a function of the threats to your organization, the vulnerabilities that inherently exist within your organization, and the impacts felt by your organization when something actually.  So here’s what you need to know:

Threats:  The Externalities

These are most typically externalities outside your control. It answers the question who is after your data and why are they after it?

  • Cyber Criminals: Individuals or groups that conduct cyber crime, such as theft, destruction, or illegal dissemination.
  • Hacktivists: Individuals or groups motivated by ideological reasons, such as political, religious, or societal issues.
  • Insider Threats: Member(s) of your organization who leak or otherwise distribute sensitive information.
  • Nation States: State-sponsored actors seeking to empower their nation or undermine other nations.
  • Script Kiddies: In general, Script Kiddies are programmers, who hack for fun or skill refinement.

Vulnerabilities:  The Internalities

These are the holes in your internal organization; the things you can control. Vulnerabilities create potentially harmful exposures for your company and can be physical, like a stranger gaining access to your workspaces or What Can Happen-.pngvirtual, such as a poorly configured network. 

In a cybersecurity context, you need to start by defining what data is most important to the health and success of your enterprise: often known as your crown jewels. For instance, a pharmaceutical company may identify sensitive patient data and patented formulas as the most critical to their business success. Once your crown jewels have been identified, you can then ensure that data is stored and transmitted in a way that makes it less susceptible to vulnerabilities.  
But it’s not just the data itself or even your own internal organization that creates vulnerabilities. In addition to the humans, software, and network you use to transact business, you likely also maintain relationships with third party providers, suppliers, vendors, and partners.  Each of these external partners have their own security postures (some better and some worse than yours).  Collectively that can add to the amount of exposure you may have should one of your third parties suffer a compromise and it bleeds over to you.

Impacts:  The Ultimate Effect

Once you have a sense of the cyber threats out there as well as the most important data in your organization and what vulnerabilities exist in the systems in which it is housed or transmitted, the next step is to put it all together. Because cyber risk is an enterprise-wide risk, cyber incidents can produce a range of serious consequences that affect your entire organization. Potential impacts include financial cost, operational damage, compliance implications, strategic setbacks, and even physical damages.

Create your scenarios: it’s the cyber equivalent of planning how much a drought could negatively impact a farmer’s crops. Even if your company has a high probability of being targeted by a cyber criminal group and is running software full of bugs and holes, if the impact of something happening to that system is minimal, then you’ll likely need to spend less time and money on protecting that system. Of course, please first make sure your terrible software isn’t connected to other critical systems that would allow an attacker to get in through an easy route and traverse to your crown jewels!  

Don’t forget to join us next time for Part 2 of our series: understanding your organizational tolerance for cyber risk and setting appropriate thresholds.

Want to know even more about how cyber impacts your organization?

Do you need a more in depth understanding of the type of cyber risks that can most impact your organization? Let N2K help. Learn more about Cyber Resolve, N2K’s training programs are geared at providing cyber risk education specifically to board and executive leaders. We even work with CISOs to tailor and align the training to an organization’s specific cybersecurity strategy.