The concept of cyber-risk in organizations is a well-known reality that cannot be entirely eliminated, and the level of risk accepted varies based on the company’s risk appetite, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Establishing and communicating this cyber-risk appetite throughout the organization is a critical challenge for Chief Information Security Officers (CISOs).
In Chapter 6 of “The CISO Evolution: Business Knowledge for Cybersecurity Executives” by Matthew K. Sharp and Kyriakos “Rock” Lambros, Lambros delves into the essential aspects of defining an organization’s cyber-risk appetite, distinguishing it from risk tolerance, and effectively communicating these points to the business. He provides a detailed example of a cyber-risk appetite statement to illustrate his insights.
COSO defines risk appetite as the types and amount of risk an organization at the board level is willing to accept in pursuit of value. However, many organizations struggle to codify their risk appetite, which is fundamental to effective risk management. While risk appetite refers to the amount of risk an organization is willing to accept, risk tolerance sets the boundaries for acceptable variation in performance relative to business objectives.
Key risk indicators (KRIs) play a crucial role in measuring the risk associated with specific activities within an organization. These indicators, different from key performance indicators (KPIs), provide insights into the level of risk exposure an organization faces. Establishing a cyber risk appetite statement involves aligning cybersecurity risk management with enterprise risk management to support business goals while complying with applicable laws and regulations.
Moving on to cyber-risk tolerance, this concept focuses on the acceptable variation in performance related to achieving specific business objectives. Risk tolerance ensures that an organization operates within its defined risk appetite and helps management determine whether a risk is acceptable or unacceptable. Aligning risk tolerance with business objectives is essential, with different levels of tolerance for critical versus less critical objectives.
Risk capacity, risk profile, and risk tolerance collectively inform an organization’s risk appetite determination. By understanding and effectively communicating these concepts, organizations can better manage their cyber-risk exposure and align cybersecurity strategies with overall business objectives.
In conclusion, navigating the complexities of cyber-risk appetite and tolerance is crucial for organizations to effectively manage and mitigate their exposure to cyber threats. By defining and communicating these aspects across all levels of the organization, CISOs and cybersecurity professionals can enhance their strategic role in supporting business objectives and protecting critical assets.