As a cybersecurity practitioner, my primary responsibility is to articulate the cyber risks facing an organization and provide options to address them. Providing accurate information is critical to allow Directors and Officers (D&O) to make decisions on cyber risks and their business impacts. In short, D&O have traditionally had four primary ways to handle risk.

  1. Accept: Not every cyber risk needs to be addressed. In many situations the cost of fully mitigating a risk cannot be justified in context of the business. However, accepting the risk means that the D&O understand the potential consequences of the decision.
  2. Mitigate: Eliminating or reducing the cyber risk is very common and expected in many situations. The key to mitigating the risks are the timeframes involved. Some risks can be mitigated within 30 days, others take months. It is important for the D&O to understand the timeframe and resources needed to properly mitigate the risks in order to make an informed decision on the mitigation strategy.
  3. Transfer: The most common way organizations transfer risk is to purchase cyber liability insurance. RSM US LLP in collaboration with the U.S. Chamber of Commerce recently published the Middle Market Business Index (MMBI) Special Report on Cybersecurity, which surveyed 400 executives on cybersecurity related topics. The special report identified that 47 percent of companies are unfamiliar or only somewhat familiar with what their policy covers. This means that an organization may assume it has successfully transferred its risk through cyber liability insurance, but may not meet the terms when the time comes to use it.
  4. Ignore: In few instances organizations choose to simply ignore cyber risks. By not conducting annual risk assessments or regularly testing their security program, these organizations are ignoring potential risks. In other instances, the D&O are aware of cyber risks, but do not provide the resources needed to mitigate the risks. If they do not formally accept the risks, they are essentially being ignored.

I have encountered a fifth method of handling risk among some of my clients: holding it through information filtering. The illustration depicts an actual flow of information for a company I recently worked with (the names have been changed). Bob, the Director of IT, is holding the risks for the organization by not articulating to the CIO the extreme findings that cybersecurity found during the latest penetration test. Consequently, the CIO shares another filtered report to Ace (board member) that the results were “not too bad”, based on his assumption that the team is working on items to mitigate risks.

Are you holding too much risk?, Industry Today

In my opinion, the internal audit team should have been included with cybersecurity directly sharing the results to them without any information filtering. Audit could then follow-up on the remediation activities to ensure that risks are truly being mitigated. Unfortunately, this does not happen enough, and cyber risks are often left unaddressed.

In the Special Report on Cybersecurity, 93 percent of executives stated that they were “confident in their organization’s ability to safeguard customer data.” However, is confidence misguided due to information filtering? I believe there are a few reasons executives are more confident in their security program than those that are more closely responsible for running it.

Overconfidence #1: Spending on Cybersecurity

The special report shows increased spending on internal security controls and capabilities most likely inflated executive confidence, with 53 percent of respondents stating that the likelihood of unauthorized users attempting to access data and systems is very or somewhat unlikely. Among the respondents, the following items were implemented to increase the security posture:

  • 65 percent updated security protocols
  • 52 percent purchased new or upgraded software
  • 41 percent updated internal privacy policies

The executives approve funding and resources to mitigate the known risks, but in the example above, there were still unaddressed risks.

Overconfidence #2: Scope of Testing

In the example, cybersecurity performed a penetration test, but the scope of the assessment was left obscured:

  • Were all the locations (IP addresses) included?
  • Were users phished?
  • Were other restrictions placed on the penetration test?

I frequently encounter instances of cybersecurity limiting tests due to budget constraints or removing systems that “are known to be vulnerable,” such as legacy systems or applications that are too sensitive to test (operational risk of bringing down a system/application during the testing). This skews the results, limiting the D&O’s abilities to make informed decisions.

Overconfidence #3: Information Filtering

While executive confidence may be misguided, it’s not entirely their fault. In the example, executives are acting on the information they have been provided. They believed this information was accurate and provided funding and resources to mitigate.

Reducing information filtering can be challenging and certainly happens in business functions beyond cybersecurity. Unfortunately, board members are not empowered with the information to make business decisions related to cyber risks. There are a few ways to reduce cybersecurity information filtering that I have seen to be effective:

Solution #1: Include Internal Audit

Internal audit should be included when, if not responsible for, conducting security assessments. While they may not have the skillset or technical capabilities, the nature of internal audit allows them to have an unrestricted access to the audit board and CFO. Since they are not responsible for the security program (like the CIO), there is no conflict of interest, which may reduce the effects of information filtering.

Solution #2: Cybersecurity Steering Committee

Setting up a cybersecurity steering committee can have a tremendous impact on the visibility of risks across an organization. In the example provided, cybersecurity, CIO, internal audit along with various business members would be presented the initial penetration test report. All steering members would be briefed on the results, and a unified message crafted on how to articulate to the board. In many instances, the cyber risk appetite for the company is formulated during these meetings.

Solution #3: Board Sponsored Assessments

While not as common, I have worked directly with boards to assess the security of the organization. While the findings need to be presented in a concise manner, boards often find value in having full access to the information. Frankly, almost every board I have presented to has at least one fairly technical resource that takes more interest in the findings and helps craft the message to the rest of the board.

Hopefully, these solutions are valuable to helping understand some of the constraints and perceptions that people have on their cybersecurity program. If you feel like you are holding too much risk, implement a solution and see if your visibility on risks changes. I believe the results will be eye opening.

Ken Stasiak
Ken Stasiak is a principal in the security, privacy and risk practice of RSM. In that role, he is responsible for helping clients with remediation, implementation and managed services. Throughout his career, Stasiak has consulted with hundreds of companies on risk management in highly visible and regulated industries such as financial services, retail, high-tech and the energy sector.

Prior to joining RSM, Stasiak served as president, CEO and co-founder of SecureState, an information security assessment and protection consulting firm that was acquired by RSM in March 2018. Previously, he served as a manager at Arthur Anderson. He also held positions at a Big Four accounting firm, MarchFirst and Whittman-Hart.

Stasiak earned his EMBA from Northwestern University Kellogg School of Management. He holds a bachelor’s degree in accounting and an associate’s degree in computer programming from the University of Akron.

Stasiak holds various industry certifications, including CISSP, CISA, CGEIT and CISM, and has been featured on Bloomberg Businessweek, CNN, SIRIUS XM Satellite Radio, PBS, and Fox News for his expertise on information security.  Ken.Stasiak@rsmus.com

Previous articleArts West Redevelopment Wins Global Award
Next articleHyper Converged Infrastructure 101