In recent years, there's only been a handful of data breaches within public companies that could be considered financially "material." These breaches include those often pointed to as examples in cybersecurity presentations: the 2013 Target breach, the 2017 Equifax breach, the 2019 Capital One breach, and most recently, the Colonial Pipeline incident. However, two breaches that will undoubtedly make this list occurred within the past few months, highlighting how critical cyber exposure management is to enterprise risk management.
The widely reported MGM Resorts International breach cost the casino operator an estimated $100 million, per its recent SEC 8-K filing. Not only was customer data exposed, but the attack caused significant operational disruptions, including guests losing access to their rooms and their ability to make reservations and use their credit cards.
While expensive, that breach appears (so far) to be much less costly than the $487 to $593 million the recent cyberattack that hit The Clorox Company cost. Per the company's preliminary Q1 financial information released on Oct 4, that attack also caused much of its manufacturing to slow for more than a month.
Despite such incidents dramatically impacting operations, earnings, customer data, and overall goodwill — cybersecurity is still viewed primarily as a technology risk and not an enterprise risk. However, these incidents show unequivocally how digital risks touch every aspect of a business and that cybersecurity risks must be treated as an integral part of overall enterprise risk management. However, it will require a dramatic mind shift among security professionals and business leaders. In this post, we show how cyber exposure management can be used to inform enterprise risk management efforts better.
During a recent conversation with Scott Crawford, information security research lead, S&P Global Market Intelligence, he noted how board members and business leaders historically have talked about how critical cybersecurity is to the business's overall health — but rarely walked that talk. "It's historically been a very one-sided conversation, with the board or business leadership expecting the CISO to magically understand what they need to be communicated to them to understand their cyber risk. It's not a one-way street. It's a two-way street, and boards need to start explaining to their security teams what they expect of them," said Crawford. "Security professionals, for their part, who often come from technical backgrounds, must learn to better translate technical risk into business risk," he said.
How cyber exposure management improves enterprise risk management
While security professionals can't immediately force the hands of boards of directors to help better guide them, there are things within CISO's control that they can use to communicate cyber risks to business leaders better. Crawford and other experts advise security teams to make the strongest business case they can get the resources they need to defend their organization successfully. While there are many ways to do this, cyber exposure management can help significantly reduce risk and help support the enterprise risk management program.
Consider the recent Clorox and MGM incidents, or at least what we know, and examine how an effective and continuous cyber exposure management program could have helped mitigate their risk. Both incidents have all of the hallmarks of a ransomware attack. While Clorox did confirm it was a ransomware attack, MGM has yet to do so. In ransomware attacks, cybercriminals use lateral movement to burrow deep into an organization and find the most valued targets to encrypt to maximize their extortion efforts. An effective exposure management program can make it much more difficult for attackers to move laterally in an organization. Most often, attackers move laterally by taking advantage of unpatched systems, misconfigurations with security implications, and using poor credential security and over-privileged accounts against the organization.
Cyber exposure management is the set of tools and processes that proactively identify, assess and address vulnerabilities that increase risk. The exposure management lifestyle involves mapping the attack surface, considering the attack surface for vulnerabilities, addressing those vulnerabilities, and rerunning an assessment to verify the remeditative measures are in place and to identify new vulnerabilities. That lifecycle continues indefinitely.
With an effective cyber exposure management program, the ability for attackers to move laterally becomes much more difficult, and the impact of such attacks can be significantly reduced. However, a cyber exposure management program can also be much more. By providing a comprehensive view of the digital risks that an organization faces, cyber exposure management can help elevate enterprise risk management discussions.
Much like exposure management, enterprise risk management is a set of tools and processes designed to identify, assess, and prepare for potential losses and harms that may interfere with an organization's operations and potentially lead to financial losses. While exposure management focuses on risks posed to the digital attack surface, enterprise risk management looks at all operational, financial, security, compliance, legal, and strategic risks. Enterprise risk management tries to evaluate risks to all of these facets of the business as interconnected rather than siloes.
Today, finding a digital risk that doesn't play a front-line role in enterprise risk is hard. This is where cyber exposure management can help CISOs map specific digital exposures to particular business risks. Examples include how vulnerable financial systems lead to increased fraud, financial risks, and regulatory risks. Digital vulnerabilities within the infrastructure that supports manufacturing lead directly to production risks. Some of these risks can only be narrowed down to a potential range of costs; others can be quantified down to the cost per minute of downtime. But they can be quantified.
In this way, exposure management supports the enterprise risk management efforts. By viewing cyber exposure management in this way, CISOs can also:
Provide a greater awareness of risks:
ERM encompasses all areas of organizational exposure to risk, including financial, operational, reporting, and compliance, providing a more comprehensive view of the risks that an organization faces. Today, cyber exposures play a role in increasing risks across these areas.
Enhance the ability to respond to risks as they arise:
By identifying all the risks an organization faces, including underlying digital risks, ERM can help management decide which risks to manage actively and how to respond to them.
Promote discussion of risk at all levels:
ERM informed with cyber exposure management can increase overall risk awareness within enterprises and encourage risk discussions within all levels of management.
For example, a retailer would use exposure management to identify digital risks in its supply chain or eCommerce transactions that could lead to financial theft or reporting disruptions. Threats to an engineering firm could affect its operations, negatively impacting new strategic efforts such as changing business models, new digital services, etc.
The key is moving beyond simply focusing on exposures and vulnerabilities and how those exposures could harm business value. "Much attention is being paid to the measurement aspects of cybersecurity right now. This is a good thing. People need to learn how to measure the tangible benefits of security investment, such as business enablement and cost avoidance. It has to be done in a way that makes sense to them by tying specific technological risks to specific negative business outcomes with a range of impact costs," says Crawford. By tying cyber exposure management with enterprise risk management efforts, organizations can do precisely that.