How Boards Can Set Enforceable Cyber Risk Tolerance Levels
It is becoming common for boards of directors to choose a low level of risk tolerance for the enterprise. The problem is that the action typically stops there, with the absence of any new directives to the CEO or the CFO to make different decisions that would support this low risk tolerance.
The optimum next steps don’t necessarily involve more money, although increased cybersecurity funding is the most obvious and often necessary move. It can also involve granting authority to make the changes needed to upgrade the enterprise’s risk position.
The CISO or CRO should be able to approve cloud agreements with new security conditions. They should also be able to require prospective business partners to meet security measures, such as unannounced pen testing. Maybe the CISO wants to eliminate the BYOD mobile policy and instead insist on only company-controlled devices — they should have the power to make that call. Or maybe the CSO wants the right to audit accounts payable expense reports, looking for any purchases (routers, cloud vendors, IoT devices, etc.) that could indicate shadow IT.
“What gets messy about this is that it’s so very easy for a board to say that it has a low risk tolerance. It almost turns into a marketing message,” says Jeff Pollard, VP and principal analyst for Forrester Research. “Do board members actually understand what having a low risk tolerance really means? It costs the board nothing to just say it. There are ramifications and implications of a low risk tolerance.”
For quite a few boards, “there is no direct linkage” between that declaration and appropriate changes to make it real, Pollard says. He adds, “Boards are often disconnected when making that decision and deciding on the budget. Risk in the 21st century is often quantitative with the veneer of qualitative. They have this masquerade of being quantities when they are not. We are using imprecise language as though it’s precise. Risk is nebulous. There is no actual meaningful definition of what that means in practice.”
“The fastest growing division is probably high risk because they are growing so fast and they are doing what needs to be done to grow that fast,” he says. “Is the board empowering (the CEO) to put the brakes on? I don’t think so. This is not a conversation about risks as much as it is a conversation about tradeoffs.”
Establishing Concrete Executive Authority
Soumya Banerjee, an associate partner at McKinsey, says boards today need to have a much more sophisticated understanding of risk and the concrete ways it is addressed.
“Boards still do have as much of an understanding about what the risks as they need to. Risks are evolving today in such a rapid manner,” Banerjee said. “When the board says ‘low risk tolerance,’ that needs to set off a list of very tangible key risk indicators. Risk tolerance needs to be defined by the risk impact. There is a definite disconnect. Boards must represent cybersecurity in terms of risk tolerance in the right way — not in the abstract, but in very tangible ways. What are the tradeoffs? Do we have the money to do that?”
Andrew Morrison, the strategy, defense, and response leader at Deloitte, sees the key challenge with board risk acceptance being authority.
“The one thing that is truly missing is the proper decision-making authority in cybersecurity. Where we see incidents go south is where command and control decisions are murky. For example, who can decide to shut down the online presence?” Morrison says. “The board will declare low risk tolerance without an understanding of what that means for the organization. There needs to be a conversation around the extent to which the CISO and the security team are empowered to make the decisions.”
Legacy systems can effectively undermine even the most ardent risk-averse board strategy, especially the subset of very old, expensive systems in manufacturing and other OT areas, says David Burg, the cyber security leader for Ernst & Young Americas.
“This involves a certain flavor of legacy where the CISO is told, ‘Don’t touch this stuff. It’s very sensitive and very old,'” Burg says. Any system that is out of bounds for IT and security is a system that attackers will see as a great place to hide malware.
Setting Appropriate Shareholder Expectations
Boards also need to be careful and strategic about compliance needs when crafting a cyber risk appetite strategy, says Matt Tolbert, the cybersecurity and operational risk management leader for the Federal Reserve Bank of Cleveland.
Tolbert, who delivered a talk at the 2023 RSA Conference about board issues around deciding such a policy, says setting such policies is important so that shareholders understand the level of risk the stock is willing to tolerate. “It needs to be clear to everyone what those expectations are,” Tolbert says.
“What is appropriate for a third-party to do? Or when moving to the cloud? This is guidance as to whether it’s acceptable,” Tolbert says. One approach is to have deep risk discussions with potential partners to determine if the two companies have the same risk tolerance.
He also notes that the only practical risk tolerance levels are low, medium, and high. A board can’t declare that it has zero risk tolerance for legal reasons. If it did, it would open the company up to be sued after a single breach.