The digitalization of the business landscape offers never-before-seen opportunities but also makes organizations more vulnerable to cyber attacks and breaches. At the highest level, leaders are focused on maturing their cyber risk programs and dealing with the fact that cyber risk is everywhere—from the light switch in the office to the systems storing the organization’s most sensitive information.
Irfan Saif, principal at Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, shares his perspective on how organizations are currently managing cyber risk.
Q. Why should leaders view cyber risk as a high priority?
Cyber risk may have significant impact on an organization’s financial performance—both short-term and long-term. It may also affect brand and reputation and customer loyalty. It’s among the less well-managed risks because there’s historically been more rigor, experience, and regulation around financial, operational, and other more traditional risks. Cyber risk has also been historically handled lower in the organization, often narrowly siloed within IT, which means that it hasn’t risen to the same strategic level of importance in the past. The rate of change in the technology landscape outpaces other risk domains. Moreover, many boards and C-suite teams lack cyber risk experience, compared with those having financial and operational risk experience.
Cyber risk management is still viewed mainly as a technology problem, but it’s not. An IT security mind-set prevails, artificially narrowing the view of an organization’s cyber risk. For example, the European Union’s (EU) 2018 General Data Protection Regulation requires organizations to holistically address the processing of data pertaining to citizens of the EU. Many organizations viewed this as an IT problem when, in fact, it posed much broader challenges in terms of sales, marketing, and business processes relating to how data is acquired, stored, processed, shared, and destroyed. So, making a decision about a sales or marketing initiative without considering cyber risk explicitly could land organizations in trouble down the road.
Q. What impact does the Internet of Things (IoT) have on cyber risk?
IoT is a fast-growing domain across all industry sectors. It’s seeing the most rapid adoption in consumer products, industrial controls and processes, and medical devices. IoT offers automation and data, which businesses are using to drive action, conduct deeper data analysis, drive predictive maintenance, and other efforts to improve overall efficiency and output and profit margins.
IoT also broadens the attack surface of enterprises. At a time when many organizations aren’t effectively addressing existing cyber risks, adding this new dimension for organizations to manage can be very challenging. Solutions are available to help clients adopt IoT in their business environments and proactively monitor those environments to react to potential threats in the IoT environment.
Q. What’s the best strategy for addressing cyber and other strategic risks?
First, it’s important for an organization to have a C-level executive responsible for enterprise-wide risks of various kinds, which gives risk the same priority as finance and operations risks.
Second, it’s essential to create a culture of risk management in which everyone is responsible for risk, including cyber risk, within their job functions.
Third, instead of simply buying more technology, senior leaders need to examine organizational design, process design, human interfaces, and ways of leveraging the right technologies to make experiences simple and seamless.
Fourth, leaders need to engage with new technology proactively rather than leave any one department or function to address adoption in a silo. I like cars, so here’s the analogy I use: The fastest cars have the best brakes. Sophisticated risk management enables organizational performance in similar ways. Move faster, with greater agility and confidence, knowing that the foundation for applicable controls, governance, and management are in place to help handle the speed, the curves, the bumps, and the unexpected.
The view from the C-suite
Chuck Saia, CEO at Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, provides his perspective on the importance of executive engagement in cyber risk.
Cyber risk is a high-priority concern for senior leaders because it goes beyond the IT department. A cyber incident can result in the loss of intellectual property, compromised processes or systems, or appropriation of customers’ data. But it can also impact stakeholders in ways that pose threats to the organization’s reputation, brand, and bottom line, particularly when the incident draws media coverage or goes viral on social media.
Given the significant threat that cyber risk poses for an entire organization, it’s important for senior leaders to be fully engaged on the topic to act quickly and confidently in managing this threat. But that doesn’t appear to be happening.
In “Illuminating a path forward on strategic risk”—Deloitte’s survey of 400 CEOs and board members in organizations of more than $1 billion—only 38 percent of CEOs and 23 percent of board members said they are highly engaged in cyber risk.[1] One reason for this might be that cyber risk reports often focus on technical details and technological risks. CEOs and board members could benefit from—and be more engaged by—cyber risk reporting and assurance that focus more on business risks and impacts.
The survey also found that only 25 percent of organizations plan to invest in cyber war-gaming or scenario planning, even though it’s a leading practice to assess vulnerabilities and response processes. Typically viewed as a cyber risk management exercise, these simulations should extend to address all potential threats on reputation, brand, and value. As a leading practice, war-games should be conducted at least twice a year—not as check-the-box exercises but as strategic opportunities to improve the organization’s overall reputation and resiliency.
In my conversations with members of the C-suite and board, I’ve found that talking about cyber posture, rather than cybersecurity, elevates the entire conversation around cyber risk. Cyber posture focuses on the key attributes of your cyber program and compares them with those of leading companies, both within your industry and in other sectors.
Although cyber postures vary substantially, within any industry and across industries, there are specific attributes found in the programs of leading organizations. By measuring your organization’s attributes against those, you can develop a picture of your current and desired cyber posture.
The concept of cyber posture recognizes that absolute cyber assurance is unattainable and that cyber readiness is an ongoing journey. It also recognizes that cyber events pose threats to reputation, brand value, and top- and bottom-line performance. For those reasons, it focuses on the strategic impacts of cyber events and on management’s steps to address those impacts.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this publication contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” and “Deloitte Risk and Financial Advisory” mean Deloitte & Touche LLP, which provides audit and risk advisory services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2018 Deloitte Development LLC. All rights reserved.
[1] CEO and board risk management survey: Illuminating a path forward on strategic risk,” Deloitte Touche Tohmatsu Limited, 2018, https://www2.deloitte.com/us/en/pages/risk/articles/ceo-board-of-directors-risk-management-survey.html
