Cyber risk is a business risk

The line between business risk and cyber risk is being obliterated. Increasingly, risk models built around financial uncertainty and legal liabilities can’t be separated from IT security risk. For Risk Management Officers that translates to keeping the company Chief Security Officer (CSO) on speed dial.

Cyber risk as business risk isn’t new. For example, cybersecurity compliance — be it regulatory or industry specific — has long been a reality for organizations. But trends tied to a new post-pandemic reality for employees and businesses will accelerate the blurring of cyber and business risk lines.

Those trends include the pace of globalization, heavy reliance on supply chains, new adversarial tactics and geopolitical targets, cloud dependencies, an economic downturn and the slow migration of employees back to the office. The list is long, but the confluence is forcing organizations to look beyond traditional definitions of risk exposure, assessment, mitigation and monitoring.

Meanwhile C-level security and risk leaders are taking a fresh look at cybersecurity liabilities as regulators take a more aggressive stance against companies that they believe are being negligent when it comes to breaches. There are even instances where a CSO has faced criminal charges tied indirectly to a breach.

Dozens more 2022 breach examples have caught the attention of regulators and class-action attorneys. Financial penalties paid over the past year serve as harbingers of choppy waters ahead for companies that fail to properly safeguard the private information of its customers, resulting in a cyberattack and a data breach.

Arguably, each of these firms misgauged or couldn’t identify risk in their attack surface pre-attack and then wrongly assessed additional risks tied to the post-attack “what-if” scenarios.

Cyber defenses need to address compliance, architecture and post-breach scenarios. But that can’t be all they do. They also need to focus on preventing the cyberattack in the first place. This requires more emphasis on the “attacker’s perspective” of identifying and mitigating external attack surface security blind and weak spots.

The business imperative is always “don’t be breached;” however, there is no such thing as operating a business without operational risk and that includes breaches. That risk can translate to dollars and cents. The average cost of a data breach in 2022 was $9.4 million in the United States, according to a data breach report by the Ponemon Institute.

No return to ‘normal’ post pandemic

In addition, employers are grappling with a post-pandemic whiplash of employees slowly returning to offices, coupled with the Great Resignation of 2022, which is now sliding into what is being called the Great Reset of 2023. This trend is tied to corporate belt tightening related to shifting macroeconomic conditions.

Underlying conditions will likely push IT operations teams to rejigger their IT stacks. Organizations will continue to upgrade and change infrastructure. They will move away from any hastily built pandemic-driven solutions and, instead, will likely prioritize creating more sustainable, affordable and easier-to-manage systems.

However, such changes introduce risk. As internal IT restructuring plays out over coming months, security teams will be forced to juggle supporting an old platform and bringing a new one online at the same time. Managing this switch creates massive risk as even the smallest misconfiguration or overlooked asset can leave holes in a company’s external attack surface and risk profile.

Adding to those adjustments is how organizations get their arms around an external attack surface that has been forever changed by the past three years of the pandemic. Gartner’s advice given in 2021 is still relevant today to risk stakeholders: “Operational support for cloud offerings will need to be maintained while working remotely or with less staff and supply chains will be affected by short supplies due to manufacturing facilities being based in China and other areas impacted by current events.”

Third-party cybersecurity risk may be defined as an organization's reliance on vendors in their supply chain and any partner or subsidiary, including IT service providers, cloud environments and Software as a Service (SaaS) applications. Third-party risk is also posed by downstream and upstream vendors that work with the partners and subsidiaries of the organization.

External forces pose new risk landscape

Globalization is making the world a riskier place, asserts Secretary of Homeland Security Alejandro Mayorkas. In a speech given in December 2022, he said the U.S. faces a “new kind of warfare,” one that makes no distinction between private and public organizations.

“Economic and political instability and our globalized economy have erased borders and increasingly bring threats and challenges directly into our communities — to our schools, hospitals, small businesses, local governments and critical infrastructure,” he said.

Examples include a suspected Russian-backed cyberattack against U.S. satellite firm Viasat early in the Ukraine war and, more recently, Chinese-linked hackers APT41 for stealing at least $20 million in COVID relief benefits.

Responding to this riskier geopolitical pressure has been a wave of new federal and private regulations around risk identification, risk analysis and assessment, and risk mitigation and monitoring.

This past year, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Binding Operational Directive (BOD) 23-01, which mandates that federal agencies identify assets in their attack surface and improve vulnerability detection and remediation capabilities by April 3, 2023.

It goes well beyond this and requires an automated asset discovery (within an organization’s entire IPv4 space) every seven days. Agencies are also required to run a vulnerability assessment for all endpoints and network and mobile devices every 14 days.

Industry standards tied to cybersecurity compliance, such as SOX, HIPAA, HITRUST, PCI and CIS, have each recently revised guidelines addressing the newest healthcare-related cyber threats that are keeping security teams on their toes. However, while compliance is important, it’s not enough.

If you cannot manage your risk, you cannot thrive. Cybersecurity risk management is a component of IT risk management where a cybersecurity lens is placed on the IT infrastructure.

Shifting focus

The threats that keep Chief Executive Officers (CEOs) up at night are those that will have a material impact on their business, according to a 2022 PwC survey of CEOs. In the survey, CEOs shared with PwC that they are most concerned about cyber risks (49%). “CEOs are most worried about the potential for a cyberattack or macroeconomic shock to undermine the achievement of their company’s financial goals — the same goals that most executive compensation packages are still tied to,” PwC found.

That focus on critical business activities is a priority that begs the questions: What’s likely to be attacked and why, what exploits might an attacker use to strike and what effect will it have on business continuity? Addressing business risk requires identifying cyber risk. Moving business leaders to the center of the cybersecurity conversation is about good digital stewardship, business leadership and staying out of the red.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.