cyber resilience framework
Threatonomics

The Rise of The Cyber Resilient Leader

Navigating digital opportunity and loss while under duress

by Rob Brown , Sr Director of Cyber Resilience
Published

Resilience (n.)

  • 1620s, “act of rebounding or springing back.” From Latin resiliens, “to rebound, recoil,” In physical sciences, the meaning “elasticity, power of returning to original shape after compression, etc.” by 1824. – Online Etymology Dictionary

The Risk Of Isolation

In the not too distant past, when capital flowed and postponing profitability was a badge of honor, finance teams transferred risk and security teams mitigated it – often in complete isolation. They didn’t align their objectives – nor were they motivated to do so. After all, times were good and nobody seemed to care – until now.

“Corporate and infrastructure cybersecurity budgets are increasingly under pressure amid reduced revenue outlooks owing to economic uncertainty… Cybersecurity investment is not immune to overall budget cuts that could increase downside risk of attacks” – Fitch Ratings

Due to severe financial headwinds, security budgets are now scrutinized and the value of insurance is brought into question. This is also done in isolation – which courts catastrophe. As budgets for security controls get cut, the likelihood of compromise grows. Similarly, as insurance investment shrinks, the likelihood of loss grows. One cost-cutting effort compounds the other.

The Need For Shared Objectives

When isolation of responsibility and financial duress meet, it naturally leads to cost cutting. The knife will be raised without an integrated view of the cost of risks to the organization being calculated. Leadership calls it risk acceptance. But can risks truly be accepted that haven’t been calculated? No. That’s nothing more than unstructured worry, as one praying to Fortuna (lady luck) hoping to avoid a bad day.

The good news is that you can structure and manage your worries. It requires finance and security to share, align, and prioritize strategic objectives. Those objectives consider how business opportunity and risk mitigation work together – particularly when under duress – and support making informed trade-offs when necessary. We call this alignment of objectives Cyber Resilience.

The Call To Cyber Resilience

To be successful in this digital economy, a company must now be Cyber Resilient and integrate its risk mitigation, risk acceptance, and risk transfer so it can take a hit without impacting its ability to deliver value. This requires operating from a core set of principles and practices that tear down the walls of isolated objectives, leading to an integrated and economically efficient approach to managing cyber risk.

The Five Principles Of Cyber Resilience

Cyber Resilience tolerates losses – within limits. This is different to most security strategies, which portray complete loss elimination as an end goal. Operating with shared, aligned, and prioritized objectives reveals what the business can tolerate to lose – without incurring operational disruption. For example, “With this configuration of controls, we can live with a 5% chance of losing $10 million and a 1% chance of losing $25 million…”

Cyber Resilience connects security with insurance – avoiding silos. Security investments reduce the likelihood of loss. Insurance investments reduce impact. They work together (as opposed to in isolation) to keep risk within tolerance. That means they consider both the probabilities and dollar-based impacts expressed above as important trade-offs.

Cyber Resilience seeks capital efficiency – while preventing hazards. Over or under investing in protection leads to distraction— or worse. The former takes needed capital away from important business opportunities. The latter (negligence) threatens the business with outsized losses. Resilience optimizes return on controls and insurance so you can keep risk within your tolerance. The goal is to have a set of rank-ordered strategies that satisfy your needs while avoiding the pitfall of moral hazard.

Cyber Resilience makes cybersecurity visible – so it can be managed. Keeping risk within tolerance requires seeing what’s coming, counting the costs, and responding in kind. This starts with the integrated trio of threat intelligence, vulnerability management, and incident response. Security data is analyzed in relation to the financial losses your business may face. Losses include things like: a data breach, business disruption, extortion, wire-fraud and more. Analysis leads to optimized decisions – decisions that cut across investment strategies and day-to-day security operations.

Cyber Resilience incentivizes cyber hygiene – by maximizing ROI. What is good cyber hygiene? It’s security controls that target the value at risk. It’s also controls that meet industry standards – thus avoiding the perception of moral hazard. Control acquisition and rollout is rank ordered based on return on investment (ROI). High ROI controls reduce the most loss at the lowest cost. Maximizing ROI allows for more controls spread across more risks – which leads to better cyber hygiene. As an added bonus, demonstrable cyber hygiene leads to better insurance terms.

The Practices Of Cyber Resilience

If you want to be a cyber resilient leader, you need to not only embrace the principles of cyber resilience – you must develop the following practices:

Risk Superforecasting: Cyber resilient leaders are trained (like bookies) in risk forecasting. They use their forecasting skills to make accurate measurements and judgements about important (and often uncertain) events that can affect key objectives.

Calculating Value at Risk: Cyber resilient leaders know how to accurately gauge the potential losses they face from threats. Using superforecasting skills they assess the probabilities that threats materialize, and then evaluate the range of losses that may occur to the value their businesses expose.

Resilient Strategy Design: Cyber resilient leaders create strategies that minimize both the likelihood and impact of compromise. Strategies are economically efficient combinations of controls and insurance that keep risk within tolerance without introducing moral hazard.

Resilient Operations Measurement: Cyber resilient leaders know how to measure their operational strategies when put into action. Visibility coming from threat intelligence, the state of cyber hygiene, and value-at-risk is continuously analyzed. If risk tolerance is threatened, actions are taken to bring risk back within tolerance by adjusting security controls and insurance.

Resilient Communications: Cyber resilient leaders are trained to effectively quantify, qualify and communicate about cyber risks. They tell the money people and board what is needed and why (in economic terms) – and they have the operational data and analytics to defend their budgets when scrutinized.

Creating a new role around Director, Cyber Resilience

We believe that the principles and practices of cyber resilience necessitate a new leadership role. We are notionally calling it the Director, Cyber Resilience. It sits between finance, security and risk management. The role’s leveling is based on the dual strategic and operational nature of the job.

Strategically, the Director is responsible for developing a cyber resilient strategy. That is an executive function that collaborates across CFOS, Risk Managers, and CISOs.

Operationally, the job includes ample amounts of analytics to support decision making and alerting. Visibility coming in from security operations like threat intelligence, vulnerability management, and incident response is analyzed in relation to value exposure. Results from analytics are used to determine (and alert) if risk is out of tolerance.

Ultimately, the Director’s objective is keeping cyber risk within tolerance. They are accountable to governing that process. That means they work with the responsible organizations by doing the following:

  • Advocating for cybersecurity capabilities that are economically efficient, target value at risk, and avoid moral hazard – all informed by continuous operations analysis and backed by a resilient strategy.
  • Recommending changes to insurance limits and related coverage – helping to keep risk within tolerance in conjunction with recommended cybersecurity capabilities.
  • Transferring and or mitigating risk that has been accumulated under the guise of “risk tolerance” that can lead to loss and the ensuing perception of moral hazard.

Conclusion

“Necessity, the mother of all inventions.” – Plato.

Risk leaders must make trade-offs. They must respond responsibly to economic headwinds. And they must react to the myriad threats created by digital transformation. A cyber resilient leader makes those tradeoffs without exacerbating loss nor incurring moral hazard. They operate from a set of principles that emphasize building economically efficient strategies. Efficiency maximizes return on security controls and insurance together – protecting the value the business puts at risk. In day-to-day practice, the resilient leader uses modern analytics fueled by increased cyber visibility – responding to risk that threatens to exceed business tolerance.

This is how the resilient principles and practices define “The Cyber Resilient Leader.” It’s a modern role for the modern organizations – purposed to navigate trade-offs while staying resilient in the face of financial and digital duress.

You might also like

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]