The market is awash with tactical advice on tactical things that organisations should do to manage cyber risk (awareness training, filtering suspicious emails, segregating and backing up sensitive data, patching software vulnerabilities, etc). This advice is for senior executives to help guide their organisations as the develop or mature their cyber security efforts.
- Have ‘skin in the game’: make those responsible for managing risk define the cyber risk management strategy: avoid the mistakes made by financial sector regulators in for example, allowing banks’ capital requirements be set by the ratings agencies. Not only are ratings agencies not responsible for managing banking risk, but they are also susceptible to market pressure. It is they who set disastrously low risk ratings to new and lethal financial products like secured debt obligations which caused the 2007 financial crisis. Executives need to have ‘skin in the game’.
- Compensate for biases that mar our risk judgements: we trust celebrity endorsements, people in suits, anything printed – especially charts and precise numbers even when they are wrong. We are prone to the illusion of certainty. Our risk perception frailties are well documented. Acknowledge them and compensate for them.
- Support discretion over rules: cyber security based on compliance to rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which time the cyber threat has moved on, and they reflect the minimum capability that standard-setters consider to be generally appropriate, rather than a target capability. Excessive emphasis on codes of compliance rather than responsibility gives rise to complacency and raises the risk of failure. Independently examine standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to your firm.
- Adopt a barbell security strategy: a combination of high and low-risk management strategies, avoiding the middle ground. Protect to the maximum extent possible IT systems that host your critical data and take more risk with the rest of your network.
- Rehearse what to do when a security incident happens: periodic testing of your security incident response fitness effectively vaccinates your firm against a breach and making it “anti-fragile”. Companies that have shown greatest resilience in the face of a security incident are those that have learned how to operate without internet access or even without IT. Make provisions for re-building your IT from scratch.
- Insure yourself against the unanticipated: the only scenarios we can test are those that we can anticipate, so put in place cyber insurance to protect you from the unanticipated events.
