Open communication channels are critical to organizations’ cyber-risk management strategies, according to Michael Siegel, principal research scientist at MIT Sloan School of Management. Yet board reporting by CISOs about the risk of cyberattacks is only now becoming a regular practice.
“The understanding of cyber risk and the reporting of cyber risk to the board was perhaps nonexistent, except at the top-tier financial companies,” said Siegel, also the associate director at MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity.
As data breaches and ransomware attacks have become regular items in news headlines, however, board demands for more cyber intel is increasing. “Now I’m hearing report quarterly, report monthly. I’m hearing the CISO reporting and working on risk assessment presentations to the board.”
Communicating about the threat of cyberattacks is complicated, Siegel said, because other risks organizations face — the potential of getting hit with lawsuits, say, or sustaining property damage after a natural disaster — are managed in the risk management office, with efforts typically led by a chief risk officer or the CFO.
Those executives and the CISO have different views of cyber-risk management, he said. Take cyber insurance, also known as cyber liability insurance coverage, which can help organizations offset the financial damage of a data breach. About a third of U.S. companies have policies now, according to a PwC report, but the market is growing and is projected to hit $7.5 billion by 2020.
It’s CFOs and CROs who are fueling that interest. CISOs — not so much.
“To the CISO — I’ll overstate this — but cyber insurance really doesn’t mean anything,” Siegel said. “It’s something the CFO does to manage the ultimate risk of the company. To the CISO, that my systems work and that I’m not attacked and that we don’t have downtime — the operational aspect of keeping things running — is the major significance.”
The CISO then is perhaps in a better position to understand what the risk of, say, introducing new technologies in the organization is, he said — highlighting the importance of clear communication between the IT security chief and the CFO in guarding against cyberattacks.
“They have to understand how to speak to each other and make the two things work.”
MIT’s Michael Siegel discusses more about cyber-risk management — including the “inverse ROI” of not investing in cybersecurity — in this SearchCIO interview.