How to Navigate Cyber & Operational Risk Conversations with Your Board

How to Navigate Cyber & Operational Risk Conversations with Your Board

To effectively manage cybersecurity risk, it's crucial for boards and C-suite executives, who may not have deep cyber expertise, to understand its implications across the entire organization. Cyber incidents can have enormous operational, financial, and reputational consequences, making cybersecurity an enterprise-wide risk requiring integrated alignment across executive, IT, security, and operations teams.

CISOs and other security leaders play a pivotal role in this alignment by emphasizing the need to integrate cyber risk into the overall risk management program and positioning cybersecurity as part of the operational risk management process, not just an IT function. Using plain business language focused on preventing losses, downtime, and safety issues helps draw the connection between internal risks, external risks, and business continuity, while avoiding overwhelming execs with technical details.

Here are some strategies a CISO or other security leader could use to help communicate the importance of managing cyber and operational risk to their executive team and board.

1. Use Real-World Examples

Operational risk refers to any situation which could cause a loss of view or loss of control to your connected processes and functions, where view and/or control cannot be recovered automatically or remotely from manipulation. Real world examples of operational risk include ransomware that targets city infrastructure and commercial companies alike, tactics like credential access and remote access exploitation, and more tailored incidents where capabilities are developed for attacking specific vendor equipment.

A recent example of ransomware includes the MGM Resort and Caesars Entertainment incident which impacted distributed operations, slot machines, ATMs, websites and bookings, and led to shutdowns of networks with an estimated cost of $100 million. The breach of Aliquippa Water Authority in Pennsylvania targeted default password settings on equipment. And INCONTROLLER, a state-sponsored capability to compromise automation machinery, involved three separate tools designed to target a specific industrial environment.

Depending on your sector and environment, discussing a recent example of a significant cyber incident that could similarly impact your business or infrastructure can inspire conversation and cooperation around defenses and process, operational assumptions, incident response plans, and potential gaps in preparedness and resilience.

2. Illustrate the Business Impact

IT risks, historically, are more likely to be repeated and widely applicable, more well understood, and therefore have established ways to assess consequences and remediation needs. Unfortunately, the attack surface does not end at those typical IT and business systems. It only just begins.

IT systems are also connected to operational technology (OT) and industrial control systems (ICS) which run custom-built operating systems to command and control things like motors, valves, pumps, tanks, and other machinery.  A cyberattack could halt any of these components or processes that rely on them, leading to significant operational downtime.

These OT and ICS systems can be remotely targeted and/or burrowed into via intermediary systems connected to the digital infrastructure required to do business in a competitive and hyperconnected world. Intermediary systems can be servers, laptops and workstations, databases, and other systems that run commodity operating systems prone to attack. These examples could expose the company to safety and environmental concerns or incidents, financial losses, legal penalties, the erosion of customer or shareholder trust, and potential competitive losses. Every board needs to understand the significance of impacts to critical systems, components, and processes.

3. Explain Regulatory and Compliance Obligations

The regulatory landscape is fast-paced and constantly evolving. Boards require need-to-know updates and considerations about regional regulatory requirements demanding compliance with cybersecurity standards and best practices. With a bottom-line up-front approach, emphasize that cybersecurity is essential for meeting these obligations and avoiding regulatory penalties. Underscore the potential for proactive investments to save in future incident costs, including downtime and losses, response and remediation costs, legal fees, and stakeholder management.  

Distill the relevant regulatory information into “if, then” statements, such as:

  • If we want to comply with a specific regulation, then we need to deploy a specific security control.
  • If we want to invest in new technology, then we need to explore these security concerns.
  • If we cannot meet a certain regulatory commitment, then we need to document where, when, and why, as well as any compensating factors.
  • If we update systems to those more secure by design, then we still need to capture any gaps in device, network, and access controls.
  • If we want to embark on new verticals or regions, then we may also need additional resources for compliance and security.

Finally, even if compliance seems like a redundant topic, distill trends at the board level for continuous awareness and improvement. Current events to include as bullets for board updates include compliance updates, important dates and events for compliance or information sharing groups, trends analysis and geopolitical conflicts.

4. Incorporate a Risk Management Strategy

Modern businesses rely on a complex web of digital systems and processes that extend beyond the company's borders to partners, suppliers, and customers. Risk management strategies must contend with this level of complexity, as security risks in one area can quickly propagate, impacting the entire environment and business. Organizations can utilize different frameworks for identifying, assessing, and mitigating cyber risks across the organization. For example, the NIST Cybersecurity Framework or ISA/IEC 62443 can be effective when evaluating topics for assessment and investment.

Framing cybersecurity as part of the broader enterprise risk management (ERM) process helps to align it with other business risks the board is familiar with. Suggest establishing a board-level committee focused on cybersecurity and operational risk management. This demonstrates the board's commitment to addressing cyber risks and ensures ongoing attention to cybersecurity matters that transcend areas of the business. Stress the importance of fostering a culture of security awareness throughout the organization, emphasizing the significant impacts an attack or incident can have on safety, availability, and business continuity.

Interconnectedness and interdependence make cybersecurity an operational risk that affects every facet of your business. Boards need to be aware that compliance measures alone will not absolve companies of these risks, and that cybersecurity is incremental and constant, not one and done tactical objectives.

Using these tips, CISOs and other security leaders can effectively communicate why cybersecurity is an operational risk, not just an IT one, requiring commitment from the highest levels of leadership and emphasizing an enterprise risk management strategy that includes operational risk.