Cybersecurity In-Depth

The Edge

How Boards Can Set Enforceable Cyber Risk Tolerance Levels

Boards love to say they have low risk tolerance, but are they willing to make the expensive and painful decisions to make it truly happen?

It is becoming common for boards of directors to choose a low level of risk tolerance for the enterprise. The problem is that the action typically stops there, with the absence of any new directives to the CEO or the CFO to make different decisions in support.

The optimum next steps don't necessarily involve more money, though increased cybersecurity funding is the most obvious and often necessary move. It can also involve granting authority to make the changes needed to upgrade the enterprise's risk position.

The CISO or CRO should be able to approve cloud agreements with new security conditions. They should also be able to require prospective business partners to meet security measures, such as unannounced pen testing. Maybe the CISO wants to eliminate the BYOD mobile policy and instead insist on company-controlled devices only; they should have the power to make that call. Or maybe the CSO wants the right to audit accounts payable expense reports, looking for any purchases (routers, cloud vendors, IoT devices, etc.) that could indicate shadow IT.

"What gets messy about this is that it's so very easy for a board to say that it has a low risk tolerance. It almost turns into a marketing message," says Jeff Pollard, VP and principal analyst for Forrester Research. "Do board members actually understand what having a low risk tolerance really means? It costs the board nothing to just say it. There are ramifications and implications of a low risk tolerance."

For quite a few boards, "there is no direct linkage" between that declaration and appropriate changes to make it real, Pollard adds.

"Boards are often disconnected when making that decision and deciding on the budget," he says. "Risk in the 21st century is often quantitative with the veneer of qualitative. They have this masquerade of being quantities when they are not. We are using imprecise language as though it's precise. Risk is nebulous. There is no actual meaningful definition of what that means in practice."

At high risk? "The fastest growing division ... because they are growing so fast, and they are doing what needs to be done to grow that fast," Pollard says. "Is the board empowering [the CEO] to put the brakes on? I don't think so. This is not a conversation about risks as much as it is a conversation about trade-offs."

Establishing Concrete Executive Authority

Soumya Banerjee, an associate partner at McKinsey, says boards need to have a much more sophisticated understanding of risk and the concrete ways it can beaddressed .

"Boards still do have as much of an understanding about what the risks are as they need to. Risks are evolving today in such a rapid manner," Banerjee said. "When the board says 'low risk tolerance,' that needs to set off a list of very tangible key risk indicators. Risk tolerance needs to be defined by the risk impact. There is a definite disconnect. Boards must represent cybersecurity in terms of risk tolerance in the right way — not in the abstract, but in very tangible ways. What are the trade-offs? Do we have the money to do that?"

Andrew Morrison, strategy, defense, and response leader at Deloitte, sees the key challenge with board risk acceptance being authority.

"The one thing that is truly missing is the proper decision-making authority in cybersecurity. Where we see incidents go south is where command-and-control decisions are murky. For example, who can decide to shut down the online presence?" Morrison says. "The board will declare low risk tolerance without an understanding of what that means for the organization. There needs to be a conversation around the extent to which the CISO and the security team are empowered to make the decisions."

Legacy systems can effectively undermine even the most ardent risk-averse board strategy, especially the subset of very old, expensive systems in manufacturing and other OT areas, says David Burg, cybersecurity leader for Ernst & Young Americas.

"This involves a certain flavor of legacy where the CISO is told, 'Don't touch this stuff. It's very sensitive and very old,'" Burg says. Any system that is out of bounds for IT and security is a system that attackers will see as a great place to hide malware, he adds.

Setting Appropriate Shareholder Expectations

Boards also need to be careful and strategic about compliance needs when crafting a cyber-risk appetite strategy, says Matt Tolbert, cybersecurity and operational risk management leader for the Federal Reserve Bank of Cleveland.

Tolbert, who delivered a talk at the 2023 RSA Conference about board issues related to establishing such a policy, says setting these policies is important so that shareholders understand the level of risk the stock is willing to tolerate.

"It needs to be clear to everyone what those expectations are," Tolbert says. "What is appropriate for a third party to do? Or when moving to the cloud? This is guidance as to whether it's acceptable."

One approach is to have deep risk discussions with potential partners to determine whether the two companies have the same risk tolerance. Tolbert also notes that the only practical risk tolerance levels are low, medium, and high. A board can't declare that it has zero risk tolerance for legal reasons. If it did, it would open the company up to being sued after a single breach.