Cybersecurity lapses continue to make headlines and undermine the fiscal health and reputation of the targeted organizations. Executives are under constant pressure to accommodate all the demands made on them.
Providing a little leadership on cybersecurity doesn’t fit well on the to-do list. Meetings with IT specialists often frustrate executives for one or more of the following reasons:
- Overloaded with detail and analysis.
- Long winded presentations.
- Overstated risks.
- Short on actionable recommendations.
- Complex, long-running implementation plans.
- Expensive spending recommendations.
Executives can replace these excruciatingly ineffective meetings with this simple formula for understanding and then reducing the risk of cybersecurity incidents.
Cybersecurity risk = Threats x Vulnerabilities
Executives can use this generic formula to assess many risks to business continuity. Here we’ll apply it to focus the cybersecurity risk discussion with IT specialists. Using this formula will first lead to clarity about the nature of the cybersecurity risks the organization is facing. Clarity can then lead to targeted actions that are expeditiously and cost-effectively reduce cybersecurity risk.
First, start by listing cybersecurity threats to your organization and the surrounding environment. Example threat assessment questions include:
- Do you sell products that organized crime finds easy or lucrative to resell? This threat increases the risk of attackers hijacking your shipments and using fake customers to fraudulently purchase your products.
- Do you own intellectual property or store private information that attackers can resell easily? Typical examples include proprietary designs or processes and personal information including credit card numbers and social insurance numbers. This threat increases the risk of attacks that cause data breaches.
- Do you have low employee morale or high turnover? This threat increases the risk of insider attacks to steal products or embarrass your organization publicly.
- Does your organization own a widely recognized brand that is prone to attacks from script kiddies or unsophisticated attackers that are motivated by vandalism and social media reputation? This threat increases the risk of damage to your data.
- Does the existence of your organization annoy some nation states or terrorist organizations? This threat increases the risk of attacks that interfere with your business continuity.
- Are you experiencing high turnover in your IS department? This turnover threat creates risk of loss of organizational knowledge.
- Are your operations at risk of being disrupted by attacks against others such as the electrical utility, important suppliers or neighboring organizations? These threats can cause collateral damage to your balance sheet.