The Board’s Role in Managing Disruptive Risk: Enter Security Ratings

Jake Olcott | April 12, 2019 | tag: Security Ratings

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change.

However, while disruptive risks are the main concern for directors, their confidence in corporate risk management is low. As risks continue to evolve, the way corporate directors and their organizations handle them must evolve as well.

One unique aspect of disruptive risks is that they are usually very subjective and can absolutely be full of cognitive biases. It’s critical that organizations have objective, independent data that allows them to both report and understand cybersecurity. In addition to traditional security assessment practices (like penetration tests, questionnaires, etc), security ratings can offer an objective, quantifiable measurement of an organization’s security posture that the Board can understand in the context of industry, region, or competitive peer group.  

When we look at disruptive risk — particularly cyber risks or incidents — it’s no secret that organizations are being held to significantly higher standards of cybersecurity outcomes than ever before. Regulatory bodies, Boards, and executive teams are driving oversight and accountability, seeking to prevent the inevitable backlash from customers, business partners, and regulators for a failure to meet cybersecurity industry-wide standards of care.

Security and risk leaders are challenged with trying to understand what constitutes a reasonable industry-wide standard of care when it comes to cybersecurity performance. What was good enough yesterday, may not be today, and will almost certainly not be good enough next year. Not to mention, the traditional approaches to cybersecurity performance metrics are limited in scope, point-in-time and subjective in nature, and not comparative.

As a result, security and risk leaders are forced to make important decisions about their cybersecurity programs based on an incomplete set of data. This lack of visibility and context can often result in ineffective spend and misalignment of resources.

Using security ratings to manage security performance helps security and risk leaders take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program enabling broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk. Using the security rating as this baseline metric of cybersecurity program performance, security and risk leaders finally have an objective, independent and broadly adopted key performance indicator (KPI) to continuously and efficiently assess security posture, set program goals, track progress and report meaningful information to executives and ultimately to you — the Board.

This blog was originally published on the NACD Board Blog.

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...

READ MORE »

Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year...

READ MORE »

A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has...

READ MORE »

Subscribe to get security news and updates in your inbox.