Cyber Balance Sheet Reveals Risk Appetite Struggles in the Boardroom

October 30, 2018

Wider breach awareness fosters more security conversations, yet commonly used board metrics and reporting formats make identifying and managing risk appetite difficult

TAMPA, FL – Focal Point Data Risk, an integrated risk management firm, today announced the release of the second annual Cyber Balance Sheet Report, a closely watched research study using in-depth surveys and interviews of corporate board members and chief information security officers (CISOs) to offer a rare window on the state of cyber risk management in the boardroom. The Report is independently produced by the Cyentia Institute, a cybersecurity research firm, co-founded by Dr. Wade Baker, widely known for creating the landmark Verizon Data Breach Investigations Report (DBIR).

This year’s Cyber Balance Sheet Report findings reveal a complex risk management sequel to the inaugural 2017 edition, which tracked cyber risk as an escalating oversight issue among boards. The 2018 report reveals that wider awareness of risks – including third-party data breaches, ransomware and geopolitical conflicts – spurs more security dialogue in the boardroom. However, C-Suite and security leaders struggle to frame risk in productive decision-making terms and keep an eye on whether companies are operating within their proper risk appetite.

“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national Cybersecurity Practice leader. “The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”

The Report organizes CISO and executive insights along seven key “balance points” that reveal key differences on issues, including how boards view cybersecurity as a unique risk or extension of other hazards, different metrics and reporting structures boards and CISOs use in briefings, varying approaches to identifying risk appetite and exposure and what board members say instills satisfaction and confidence in security programs.

Key insights include:

  • Many organizations have not formally established a cyber risk appetite: Risk appetite is defined as the amount and type of risk an organization is willing to accept. It is the responsibility of boards and C-Level executives to weigh risk appetite against growth opportunities. Yet, less than half of participants could describe their risk appetite quantitatively, preferring terms like “very low,” instead. This makes it difficult to identify and track risk appetite over time as business and technology forces continually change operations.
  • More metrics can muddy what matters most: “Security incidents and losses,” “compliance status” and “security program maturity” are the top three most-reported metrics to the board. Surprisingly, “third-party and supply chain,” “risk appetite” and “external threat trends” were reported less frequently – despite their urgency for decision-making and frequency in data breach headlines.
  • Finding the magic “return on reporting”: The report objectively looks at reporting and conversation topics in the boardroom, using visualizations to chart their frequency of occurrence, versus depth of resulting dialogue and reported value. For example, “compliance” is one of the most reported on topics, but respondents give compliance particularly poor “return on reporting,” because it ultimately spurs little talk and value. Conversely, “security governance and resources” surfaces less frequently, though participants report more conversations and greater value around the topic.

“This latest report shines a light on remarkable progress and stakes surrounding how boards and security teams interface and support one another,” added Baker, the lead Cyber Balance Sheet Report researcher. “The data show cyber risk is still an emerging area for boards with more experience facing other existential threats. However, there is wider recognition that IT is a risk vector for everything that keeps leaders up at night, from regulatory issues and protecting trade secrets to reputational matters and avoiding lawsuits. The report shows we are crossing a key threshold where boards realize that requesting metrics and asking more security questions only helps to a point. The new premium is on each board, C-Suite and security team determining the most important issues for them to productively set their risk appetite course and navigate appropriately.”

The complete Cyber Balance Sheet Report is available for download here

Follow Focal Point Data Risk

Twitter: @focalpointdr

About Focal Point Data Risk

Focal Point Data Risk is an integrated risk management firm delivering a unified approach to addressing data risk through a unique combination of service offerings. Focal Point brings together industry-leading expertise in cybersecurity, identity governance and access management, data privacy, analytics, internal audit, and hands-on training services – giving clients everything they need to plan and develop effective risk and security programs. By integrating these services, we provide the resources necessary for protecting and using data across entire organizations. Simply put, Focal Point is the next generation of risk management.


Media Contacts:
Tom Resau
W2 Communications