What’s your cyber risk appetite?

How much cyber risk is your organization willing to take on? Knowing this “risk appetite” is an important element in the pace of the digitization of your organization.

Cyber resilience is the ability of your enterprise to keep its transformed business models efficient and effective in the face of increased IT system threats from nation states, criminals, competitors, insiders and the supply chain. This resilience also applies to legal, regulatory and political changes.

By assessing your organization’s business risk appetite, you can also ensure that it’s cyber risk appetite is aligned to help achieve your overall corporate strategy.

That said, an organization’s risk appetite or tolerance can be difficult to measure, in part because business units in an organization may view the same risk differently. For example, an opportunity that looks attractive to sales may seem overly risky to IT. This can lead to inappropriate levels of risk control being applied to people, processes and technology.

Appetite alignment

Fortunately, models are available to help enterprises navigate this terrain. As part of the toolkit for Board members, the World Economic Forum has established guidelines to help boards define and quantify their organization’s risk tolerance, ensuring consistency between its corporate strategy and its cyber risk appetite. These include:

  • Understanding the potential business impact of risk on both individual projects and business lines, as well as on the organization as a whole
  • Agreeing on risk appetite in light of shareholder, regulatory, customer and external perspectives, such as legal and regulatory considerations
  • Understanding how the balance between meeting business objectives on the one hand, and the operational cost and impact of cybersecurity on the other, is determined by risk appetite
  • Clarifying how the agreed-upon risk appetite should be applied to business decision making
  • Presenting the difference between agreed-upon risk appetite and actual risk tolerance on an annual basis

Managing the cyber resilience element of enterprise risk involves engaging both IT and business leaders in an ongoing dialogue about balancing risk vs. opportunity in the context of the business strategy.

This proactive approach is more effective than simply reacting to the news media’s latest “cyber scare.” By using a structured management framework, an organization can ensure that all its leaders, at all levels, understand both the organizational risk position and the competitive advantage of true cyber resilience.

Read more in the position paper, “Managing Enterprise Risk in a Connected World.”


Chris Moyer is the chief technology officer of Security at DXC Technology. He is responsible for technical strategy and innovation for advisory services, security operations, threat management, identity management, endpoint security, data protection, cloud security and enterprise risk management. Previously, Chris was CTO for Hewlett Packard Enterprise Services and vice president for Mobility and Workplace. He has incubated new services and built strategic technical alliances. @cd_moyer

RELATED LINKS

To lower enterprise risk, get cyber resilient

Advancing cyber resilience — principles and tools for boards

Internet worms through the ages — from relatively low risk to highly destructive

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: