THE CHALLENGE
Despite the billons
spent on cybersecurity,
the damage done
by breaches keeps
groming-to a
extent because
‘companies don't
recognize or understand
their ortical cybertsks.
THE OLD APPROACH
uty then
cussions of isk
‘and senor leaders and
| Over
==. | thepas
ste oes Seer Use costs und consequences of eyberbreaches have
potential attack ‘grown alarmingly. The total financial and economic
Leaders and statt losses from the 2017 WannaCry attack, for instance, were
throughout th estimated to reach $8 billion. In 2018 Marriott discovered
can portipate inthis that abreach ofits Starwood subsidiary's reservation
rooess, end overall system had potentially exposed the personal and credit-card information
reneeny oR ‘of500 million guests. Hackers seem to keep getting more effective. But
oe inour experiences consultants to clients across the globe, we've found
another reason that companies areso susceptible to threats from hacking:
‘They don’t know or understand their critical cyberrisks, because they're
too focused on their technological vulnerabilities.
‘and boards
104 Neremner-Decenoe 3:9‘When cybersecurity efforts address only technology,
the result is company leaders who are poorly informed and
organizations that are poorly protected. Discussions of cyber-
threats end up being filled with specialized tech jargon, and
senior executives can’t participate meaningfully in them. The
responsibility for addressing risks then gets relegated entirely
tocybersecurity and IT staff, whose attention falls mainly
‘on corporate computer systems. The outcome tends tobe a
Jong, il-prioritized list of mitigation tasks. Since no company
has the resources to fix every cybersecurity problem, impor-
tant threats can gounaddressed.
‘Amore fruitful approach is toadopt the view that cyber-
security should focus more on threats’ potential impact on
business's activities. Say you're an executive ta chem-
ical company. Instead of asking what cyberattacks might
bbe possible on your computer systems, ask, How coulda
‘eyberattack disrupt your supply chain? Or expose your trade
secrets? Or make you fail tomeet your contractual obliga
tions? Or cause a threat to humanity? That adjustment might
seem minor, but when leaders start with crucial activities,
they can better prioritize the development of cyberdefenses.
‘ACEO we worked with, Richard Lancaster of CLP, Asia's
third-largest electricity provider, described the shift in
‘mindset this way: “Initially, we viewed cybertisks primarily
asan IT issue. Over time we realized that what was really
‘vulnerable was our electric grid and generating plants. Now
‘we recognize that cyberrisk is really business risk—and my
job as CEO isto manage business isk” With this perspective,
responsibility shifts from IT to senior executives and boards,
‘who must take an active role and ensure that cybersecurity
teams focus on the right threats.
Developing Cyberthreat Narratives
Identifying and fixing cyberrisks is a social process. To
accurately asess where the most important onesie you
mist consider the viewpoints and opinions of wide ange
‘of employees. By involving abroad group, you'llbullda
common understanding of the critical facts and details early
on, which willenable yu toreach consensus when you
‘subsequently need tomanage the risks.
Tohelp companies organize and share the relevant
information with a wide audience, we've developed a tool
Instead of asking what cyberattacks might be possible on your computer
systems, ask, How could a cyberattack disrupt your supply chain?
wwe call acyberthreat narrative. Itaddresses the four parts of
the story ofa potential cyberattack: a key business activity
and the risks toi; the systems that support that activitys the
potential types of attacks and possible consequences; and the
adversaries most likely to cary attacks out. Outlining details
about all four will help companies recognize and prioritize
theirrisks and prepare remedial actions.
‘The people in your cybersecurity group should take
charge of developing cybernarratives, but they should solicit
contributions from:
+ Leadership. ihe Cb, the executive team, and other
senior executives. Meetings with executive leadersare crti-
cal, but they don’t need tobe time-consuming; scripting the
interviews and discussions carefully will make them more
efficient and easier to document.
+ Operations. Personnel involved day to day in the
central business activities.
+ IT systems. People responsible for the administration
of the computing systems supporting the activities.
+ Relevant specialists Staffers with expertise related to
the type and consequences ofthe particularkind of threat
you're outlining, such as legal, publicrelations, human.
resources, and physical security employees. For example, if
a narrative is about an attack that resultsin aloss of personal
data, you'd want toinclude the legal team in your discussions
because of the possibility fa regulatory violation.
Let’slook now at each element of a cyberthreat narrative,
how to developit, and who should be involved.
Critical Business Activities and Risks
“Toidentify these, the cybersecurity team should interview
the company?s leaders amine ts rien statements of
risktolerance, suchas those found in annual reports; and
consider company objectives, such as revenue targets or
growth in new markets. A revenue goal, for example, could
be dependent on new-product development or expanded
service offerings. Entering anew country might be essential
to increasing the customer base. Critical activities can be out-
side the organization, relate tointeral operations, orinvelve
the company’s strategic future. For the chemical company,
critical activity could be, say, the manufacture of polyester
resins, a specialty product in high demand.
Novembor-Dscember 2033,
105