THE CHALLENGE Despite the billons spent on cybersecurity, the damage done by breaches keeps groming-to a extent because ‘companies don't recognize or understand their ortical cybertsks. THE OLD APPROACH uty then cussions of isk ‘and senor leaders and | Over ==. | thepas ste oes Seer Use costs und consequences of eyberbreaches have potential attack ‘grown alarmingly. The total financial and economic Leaders and statt losses from the 2017 WannaCry attack, for instance, were throughout th estimated to reach $8 billion. In 2018 Marriott discovered can portipate inthis that abreach ofits Starwood subsidiary's reservation rooess, end overall system had potentially exposed the personal and credit-card information reneeny oR ‘of500 million guests. Hackers seem to keep getting more effective. But oe inour experiences consultants to clients across the globe, we've found another reason that companies areso susceptible to threats from hacking: ‘They don’t know or understand their critical cyberrisks, because they're too focused on their technological vulnerabilities. ‘and boards 104 Neremner-Decenoe 3:9‘When cybersecurity efforts address only technology, the result is company leaders who are poorly informed and organizations that are poorly protected. Discussions of cyber- threats end up being filled with specialized tech jargon, and senior executives can’t participate meaningfully in them. The responsibility for addressing risks then gets relegated entirely tocybersecurity and IT staff, whose attention falls mainly ‘on corporate computer systems. The outcome tends tobe a Jong, il-prioritized list of mitigation tasks. Since no company has the resources to fix every cybersecurity problem, impor- tant threats can gounaddressed. ‘Amore fruitful approach is toadopt the view that cyber- security should focus more on threats’ potential impact on business's activities. Say you're an executive ta chem- ical company. Instead of asking what cyberattacks might bbe possible on your computer systems, ask, How coulda ‘eyberattack disrupt your supply chain? Or expose your trade secrets? Or make you fail tomeet your contractual obliga tions? Or cause a threat to humanity? That adjustment might seem minor, but when leaders start with crucial activities, they can better prioritize the development of cyberdefenses. ‘ACEO we worked with, Richard Lancaster of CLP, Asia's third-largest electricity provider, described the shift in ‘mindset this way: “Initially, we viewed cybertisks primarily asan IT issue. Over time we realized that what was really ‘vulnerable was our electric grid and generating plants. Now ‘we recognize that cyberrisk is really business risk—and my job as CEO isto manage business isk” With this perspective, responsibility shifts from IT to senior executives and boards, ‘who must take an active role and ensure that cybersecurity teams focus on the right threats. Developing Cyberthreat Narratives Identifying and fixing cyberrisks is a social process. To accurately asess where the most important onesie you mist consider the viewpoints and opinions of wide ange ‘of employees. By involving abroad group, you'llbullda common understanding of the critical facts and details early on, which willenable yu toreach consensus when you ‘subsequently need tomanage the risks. Tohelp companies organize and share the relevant information with a wide audience, we've developed a tool Instead of asking what cyberattacks might be possible on your computer systems, ask, How could a cyberattack disrupt your supply chain? wwe call acyberthreat narrative. Itaddresses the four parts of the story ofa potential cyberattack: a key business activity and the risks toi; the systems that support that activitys the potential types of attacks and possible consequences; and the adversaries most likely to cary attacks out. Outlining details about all four will help companies recognize and prioritize theirrisks and prepare remedial actions. ‘The people in your cybersecurity group should take charge of developing cybernarratives, but they should solicit contributions from: + Leadership. ihe Cb, the executive team, and other senior executives. Meetings with executive leadersare crti- cal, but they don’t need tobe time-consuming; scripting the interviews and discussions carefully will make them more efficient and easier to document. + Operations. Personnel involved day to day in the central business activities. + IT systems. People responsible for the administration of the computing systems supporting the activities. + Relevant specialists Staffers with expertise related to the type and consequences ofthe particularkind of threat you're outlining, such as legal, publicrelations, human. resources, and physical security employees. For example, if a narrative is about an attack that resultsin aloss of personal data, you'd want toinclude the legal team in your discussions because of the possibility fa regulatory violation. Let’slook now at each element of a cyberthreat narrative, how to developit, and who should be involved. Critical Business Activities and Risks “Toidentify these, the cybersecurity team should interview the company?s leaders amine ts rien statements of risktolerance, suchas those found in annual reports; and consider company objectives, such as revenue targets or growth in new markets. A revenue goal, for example, could be dependent on new-product development or expanded service offerings. Entering anew country might be essential to increasing the customer base. Critical activities can be out- side the organization, relate tointeral operations, orinvelve the company’s strategic future. For the chemical company, critical activity could be, say, the manufacture of polyester resins, a specialty product in high demand. Novembor-Dscember 2033, 105