Overseeing Disruptive Risk? Security Ratings Can Help.

On a global basis, directors and the companies that they oversee are facing disruptions caused by geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change, among other forces. The pace of change just keeps speeding up.

It is important to note that while disruptive risks are one among main concerns for directors, their confidence in corporate risk management is low. As risks continue to evolve, the way corporate directors and their organizations handle them must evolve as well. This disconnect between may belie their low confidence in overseeing these changing risks.

In BitSight’s newest Cyber Risk Monitor report, respect risk expert and NACD member James Lam details five recommendations for directors to manage disruptive risk within their organization. Within this list, he offers that corporate directors should “ensure board-level risk metrics and reports are effective.”

As stated in the report, one unique aspect of disruptive risks is that they are usually very subjective and, as a result, can be full of the influence of cognitive biases. It’s critical that organizations have objective, independent data that allows them to both report on and understand the state of the company’s cybersecurity. In addition to traditional security assessment practices (like penetration tests and questionnaires, for instance), security ratings can offer an objective, quantifiable measurement of an organization’s security posture that the board can understand in the context of industry, region, or competitive peer group. 

When we look at disruptive risk—particularly cyber risks or incidents—it’s no secret that organizations are being held to significantly higher standards of cybersecurity outcomes than ever before. Regulatory bodies, boards, and executive teams all are driving for better oversight and accountability regarding data breaches and cybersecurity. Companies and their leadership are seeking to prevent the inevitable backlash from customers, business partners, and regulators that is inevitable when a breach occurs, demonstrating their failure to meet cybersecurity industry-wide standards of care.

Security and risk leaders are challenged with trying to understand what constitutes a reasonable, industry-wide standard of care when it comes to cybersecurity performance. What was good enough yesterday may not be today, and will almost certainly not be good enough next year. Not to mention, the traditional approaches to cybersecurity performance metrics are limited in scope, focus only on a point-in-time, and are subjective in nature, not comparative.

As a result, security and risk leaders are forced to make important decisions about their cybersecurity programs based on an incomplete set of data. This lack of visibility and context can often result in ineffective spending and misalignment of resources, two areas of insight critically needed to adequately protect any organization’s security.

Using security ratings to manage security performance helps security and risk leaders, and the directors who oversee their decisions, take a risk-based, outcome-driven approach to managing the performance of their organization’s cybersecurity program. Security ratings enable broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk. Using the Security Rating as this baseline metric of cybersecurity program performance, security and risk leaders finally have an objective, independent, and broadly adopted key performance indicator to continuously and efficiently assess security posture, set program goals, track progress, and report meaningful information to executives and ultimately to you—the board.

Looking to learn more? Download BitSight’s latest Cyber Risk Monitor Report, prepared exclusively for directors of companies.