Security By Design - Part 2

I n my last post I asked the question: Do you know if your organization is Cyber Secure or Cyber Insecure?

In this post, I will be discussing with you Cyber Risk from the perspective of Business Risk.

Business Risk is the possibility that an event will eventually lead to a reduction in a company’s objectives, i.e. current or future economic profits. Pretty much every business today, from small “mom and pop” businesses, all the way up in size to massive global multinational businesses, has a significant to massive dependence upon their information technology-driven business operations. There is no avoiding the fact that Cyber Risk is a dominant risk category that every business faces. Cyber Risk is one of the few risks which businesses face which have the potential to bring a business to a complete standstill! Ask yourself this series of questions:

• Can your business survive a complete shutdown of business operations for 1 day?
• Can your business survive a complete shutdown of business operations for 7 days?
• Can your business survive a complete shutdown of business operations for 14 days?
• Can your business survive a complete shutdown of business operations for 21 days?
• Can your business survive a complete shutdown of business operations for 28 days?

Is this too hard to imagine? Change the questions to something like this:

• Can your business survive a significant shutdown of business operations for 1 day?
• Can your business survive a significant shutdown of business operations for 7 days?
• Can your business survive a significant shutdown of business operations for 14 days?
• Can your business survive a significant shutdown of business operations for 21 days?
• Can your business survive a significant shutdown of business operations for 28 days?

I have asked this series of questions of business leaders and board members many times. I have never received the following reply in response:

“We may be impacted for a few days but will be back up and running within 7 days with minimal business interruption and impact.”

Never! Not once! The response I normally receive from asking these questions takes one of two forms. Either a denial that this could ever happen or a non-verbal response involving a lot of uncomfortable facial expressions and body language.

My purpose with these questions is to get your attention.

Cyber Risk is Business Risk

You do not have to take only my word for this fact:

The World Economic Forum reports Widespread Cybercrime and Cyber Insecurity as the top 10 global risks over the short and long term (two to ten years as reported in the WEF The Global Risk Report 2023 Insight Report).

The Allianz Risk Barometer 2023, another global industry risk reporting standard finds cyber incidents to be the #1 top risk that businesses face “reflecting the importance of today’s digital economy, the evolving threat from ransomware and extortion, as well as geopolitical rivalries and conflicts increasing being played out in cyberspace. Cyber risk and business interruption (BI) are closely linked with cyber also ranking as the cause of BI (business interruption) companies fear most.” (Allianz Global Corporate & Specialty (AGCS) is a leading global corporate insurance carrier.)

It is my experience that most companies do not typically ignore risks to their business operations. What I have experienced, though, is that most of the companies and leadership teams do not fully understand the cascading systemic risks which Cyber Risk and Cyber Insecurity present to their organizations. Many companies address their risks with a Governance, Risk, and Compliance (GRC) approach and support staff, following sound risk assessment practices which result in an annual risk report. GRC practices have matured in some organizations and are addressed via an Enterprise Risk Management (ERM) process, often still an annual risk assessment with associated risk reduction and abatement plans. Further, I see more advanced and integrative risk management practices being utilized in an Integrated Risk Management (IRM) approach taking a Value Chain integrated business risk perspective more in line with an organization’s extended business operations across business units, support functions, extended supply chains, and customer value chains.

Best practices in Integrated Risk Management (IRM) involve developing a structured and disciplined approach that aligns business strategy, processes, technology use, and knowledge with the purpose of evaluating and managing uncertainties an organization and its value chain faces. IRM categories of risk recognition involve business Strategic Risk, Operational Risk, Financial Risk, and Hazard Risk.

One of the emerging risk management models which takes a fully integrative approach to identifying risk from a corporate director’s and senior leader’s perspective can be found in the DIRECTOR™ and RISCX™ Models. The DIRECTOR™ model identifies eight core domains of risk from a corporate director’s perspective that regulate the health and vitality of an organization’s digital ecosystem. The RISCX™ model identifies five key causes of system risk within and across these domains. (Digital Directors Network).

The eight domains of the DIRECTOR™ model are: Data, Information Architecture, Risk Communications, Emerging Technology, Cyber Security, Third Party, and Operations of IT risks. The key causes of risk failures identified in the RISCX™ model allow an assessment of the systemic nature of a company’s risks from the perspectives of: cross-jurisdictional boundaries (legal, regulatory, geographic), replaceability (of processes, systems, technologies in the event of a disruption), inter-connectedness (of processes, systems, suppliers, customers), size and the overall complexity of organizations. Used together the DIRECTOR™ and RISCX™ model allow a fully integrative view of systemic business Cyber Risk to emerge and become visible.

The threats that Cyb