In Part 1 of our series, we focused on defining what management attention is, and how managers are influenced in making decisions. We also introduced the concept of quantifying the benefit of mitigating security control investments – known as Return on Control.1 In this article, we look further into the relationship between management attention and the occurrence of cyber events, historic cyber risk assessments, the need for cyber risk quantification and end with a set of actionable recommendations.
Management attention as a predictor of cyber events
Management attention represents dedicated and concentrated focus by the management team on a specified objective, a specified investment. For cybersecurity to receive such attention in an organization, there must be management focus on the need to measure cyber risk exposure and implement optimal mitigating cybersecurity practices.
A recent study has shown that management attention to cybersecurity, management perception of the impact of cybersecurity, cyber decisioning and risk-averse practice adoption are not aligned in many companies2. In fact, while it showed that just prior to a cyber event, there was significant misalignment, it also demonstrated that there was significant alignment post the cyber event. The study involved analyzing six years of annual reports for all Fortune 500 companies, using a proprietary algorithm developed for the study which defined the organization’s cybersecurity posture. This study found that alignment occurs when companies incur a significant cyberattack and management can learn from “failure” and “feel” the impact of the event.3 Having experienced the effect of such an event, management attention is drawn to the event, the perception of the realities of cyber events are heightened, secure practices and other such investments are approved, and the adoption of such practices are more successful. But this phenomenon does not last forever. Management’s tolerance for reactive spending following a cyber event is inevitably limited, and the need for strong quantifiable support for such investments is eventually required, analogous to costs and benefits identified for other investments. Indeed, the study showed that management behaviors reverted to old ways as early as four years post such a cyber event. The study illustrated that companies which faced a significant cyber event had a low level of management attention to cybersecurity and low alignment between attention, perception, decisioning and adoption.
For these same firms, security initiatives were not aligned with business strategy. In all cases where a firm had experienced a significant cyberattack, it was shown that management attention was clearly focused on other management initiatives. However critical to other organizational goals, management attention was given to other strategic initiatives, which clearly drew focus away from key security initiatives. This suggested that a cyber incident has a greater likelihood of occurring when there is a lack of management attention to cybersecurity. We wondered whether such a lack of attention correlated with the occurrence of cyberattacks. Does the impact of competing investment priorities drive initiatives with less direct bottom-line benefit to such a low priority that they are rarely, if ever funded? Can management attention be considered a predictor of impending cyberattacks? If a significant cyberattack occurs following low cyber security management attention, does attention increase after such an attack?
If security investments could be substantiated in quantifiable terms, would this promote risk-averse decisioning and related adoption? Would it be easier for management to accept cyber security investments because of their new-found ability to properly compare the benefit of such investments to other investments?
Cyber risk assessments
Historically, cyber risk assessments have been technically focused, largely driven by cyber risk assessment guidelines developed by ISO (ISO 27001 – International Standard for best-practice information security management systems) and NIST (National Institute for Standards and Technology). While both frameworks touch on organizational and cultural standards for security, they are largely technical focused assessments. Coupled with these technical assessments, many organizations continue to prioritize mitigating actions in response to identified vulnerabilities based on a qualitative matrix or “heat map” as proscribed by NIST, MITRE, ISO and OWASP. This method represents a rough measure of how likely a particular vulnerability is to be identified and exploited by an attacker. It also represents a method that does not specifically address cultural or management attention issues.
Yet, it has been repeatedly reported that more than 60% of cyber events are rooted in human error.4 It is obvious, therefore, that greater care be taken to address the people side of the security equation, thereby assessing the cultural affinity of the organization to protect themselves through defined standards, policies, and procedures. Ensuring that employees are properly informed and trained on such secure practices is paramount to reducing the likelihood of “people” oriented security events.
Going one step beyond the cultural assessment, is the concept of a management attention assessment. The recent study noted above, analyzed the Fortune 500, utilizing a proprietary algorithm developed for the study, and the data resident in the 10-K annual reports submitted to the SEC for the same companies. By applying this algorithm against the information in six consecutive years’ worth of 10-K data, a risk profile was developed for each company. Management attention was a defined part of the risk profiles developed. In cases where a company had experienced a significant cyber event in the six-year period, the management attention preceding the timing of the event was analyzed. In all cases, management attention was low, and further review of these companies suggested evidence of other investments receiving greater key management attention.
Management attention and the benefits of cyber risk quantification
All businesses are faced with competing priorities. Managers are paid to ably traverse such waters and make well-supported decisions. What if their ability to make such decisions is stifled by a lack of quantitative support that is routinely available for other types of investments? Would there not be a lower likelihood of consideration or selection because of a lack of understanding of the subject, or because there was insufficient evidence to articulate the value to be derived from the investment? Even if the qualitative analysis previously mentioned suggests a high likelihood of occurrence and impact, the initiative may be passed over because of the lack of comparative benefit support.
The current cybersecurity landscape begs for managers to place increased attention and focus on cybersecurity threats and the realities of potential cyber events. Without focus, their ability to understand the potential implications and impacts will be biased by prior experiences, experiences of others in their industry or ignorance. They must regularly be made aware of the security vulnerabilities facing the organization and receive a quantitative assessment of those cyber events most likely to impact the organization. They should be led through what-if scenario analysis to clarify potential impacts and the breadth of their reach, inclusive of partner and third-party impacts. Vice versa, they must understand the implications of a partner or third-party experiencing a cyber event and the potential impact that the event might have on the organization.
An organization’s exposure to potential cyber events must be quantified and understood in business terms. Only then can an organization’s decision makers effectively understand the return to be received from the implementation of a mitigating security control and what portion of this cyber risk they wish to transfer to cyber insurance. By understanding their vulnerabilities, a company can better determine which cyber threats should be considered most dangerous to the organization, and what mitigating treatments would best proactively prepare the organization should a cyber event occur.
Equally, the organization must understand the cyber risk exposures it creates when entertaining new business endeavors and proactively incorporate security strategies to support those business initiatives. Mergers and acquisitions are as much a consideration in this regard as the development of new business lines or the integration with new partners or third parties. Management attention to the business strategy must include consideration for the security element of implementing that strategy.
Actionable recommendations
Management attention to cybersecurity is key to actionably improving the cyber risk posture of an organization. That attention can be influenced in different ways. Naturally, the occurrence of a cyber event will force an organization’s management to take notice of the financial and reputational impacts of such an event. To mitigate the likelihood of such an occurrence and to be better prepared for one, we strongly recommend the following seven-step plan:
- Assess both cultural and management attention in addition to traditional technical cyber risk assessments. Such assessments can clarify whether the organization is setting itself up for failure by inadvertently denying investment in proactive security practices because of competing priorities.
- Adopt a proactive cyber risk culture. If management attention and cultural assessments suggest that corporate culture is weak in terms of cybersecurity focus, an initiative to openly embrace and adopt a proactive cyber risk culture is advised. This should be driven top-down by senior leadership and further supported with bottom-up initiatives from employees.
- Provide cybersecurity education for the Board of Directors, the management team and the workforce. One element of adopting a proactive cyber risk culture is promoting an understanding of cyber threats, vulnerabilities and the role each of these groups play in mitigating the likelihood of a cyber event. This is crucial to an organization’s cyber health and cyber exposure.
- Adopt tabletop exercises, annually, at a minimum. The adoption of tabletop exercises that simulate real life cyber event scenarios are invaluable in demonstrating the value and the need for management attention prior to, during and after a cyber event. We recommend that such exercises occur at least annually, but more frequent semi-annual or quarterly exercises are strongly encouraged, if possible.
- Adopt “holistic” cyber risk assessments that involve technical, cultural and management attention assessments on an annual basis to protect the cyber health of the organization.
- Adopt cyber risk quantification. By quantifying an organization’s cyber exposure and quantifying the return to be derived from investing in certain mitigating controls, management can make more informed investment decisions.
- Transfer the appropriate amount cyber risk through cyber insurance. Understanding an organization’s cyber risk exposure and the value that cyber insurance brings to the table can save the organization considerable expense and pain should a cyber event occur. Consider the use of Willis Towers Watson’s Cyber Quantified tools and the entire Quantified model portfolio. These decision support tools are designed to help companies assess and quantify their exposures and better understand the value of insurance given their risk profile.
Conclusion
Although cyber events continue to increase in complexity, magnitude, and frequency, there is no reason for organizations to be unaware or unprepared. Management attention to cyber security is a key contributor to mitigating the likelihood of a cyber event to an organization and is a conduit to the adoption of cyber risk quantification, crucial to the decision-support needed to better explain the value of mitigating control investments in the face of competing investments. Organizations can be better served by being properly prepared with the supporting analytics required to make better cybersecurity decisions.
It is most important to quantify the value of implementing mitigating security controls (procedures, policies, security software, etc.) to reduce cyber risk exposure. With strong decision-support, the benefits of cyber security investment opportunities can be equitably evaluated against other non-security-oriented investments.
Footnotes
1 Hubbard, D. W. & Seiersen, R. 2016. How to measure anything in cybersecurity risk (1 ed.). Hoboken, New Jersey: Wiley. https://onlinelibrary.wiley.com/doi/book/10.1002/9781119162315
2 Piccirilli, C. J. 2020. When does increased attention result in increased action against cyberattacks?: 283. https://search.proquest.com/openview/7fd86094cfb0b9b4006789c0027
52b06/1?pq-origsite=gscholar&cbl=18750&diss=y
3 Dahlin, K., Roulet, Thomas, Chuang, You-Ta. 2018. Opportunity, motivation and ability to learn from failures and errors: Review, synthesis, and the way forward. Academy of Management Journal, Anals: https://www.researchgate.net/publication/320531946_
Opportunity_motivation_and_ability_to_learn_from_failures_and_errors_Review_synthesis_and
_the_way_forward.
4 Willis Towers Watson. August 2020. Decode Cyber: Decode Cyber: Cyber RIsk Solutions & Insurance Solutions. Decode Cyber. https://wtwonline.sharepoint.com/:p:/r/sites/Integrated-
Cyber/_layouts/15/Doc.aspx?sourcedoc=%7BBEC56A78-259E-4A98-89CC-35E43BC7BA7C
%7D&file=Banks%20-%20Cyber%20Risk%20Articulation%20and%20Financial%20
Quantification%20Proposal.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.
