It’s Official: Cyber Risk is business risk, and needs to be managed as such
This is an exciting week for Team8 as VisibleRisk, a joint venture between ourselves and Moody’s Corporation, has announced a $25 million Series A investment. Combining Moody’s domain knowledge of business risk with Team8’s cybersecurity expertise, VisibleRisk aims to create a global standard for cyber risk measurement and benchmarking.
More specifically, VisibleRisk aims to quantify cyber risk in financial terms so that business leaders can manage cyber risk as clearly as they manage any other business risk in their organization.
As a venture group with deep roots in cybersecurity, we’ve long advocated for the elevation of cyber risk from a pure IT and security concern, to a critical business risk that (like any other operational risk) can be detrimental to a business. Cyber risk needs to be managed like any other business risk — not from a position of fear or uncertainty, but with knowledge and confidence to proactively govern this risk in alignment with business goals.
VisibleRisk is an important step in that direction. The VisibleRisk Platform is the first solution to make this possible, quantifying cyber risk as you would business risk, and empowering executives to make informed risk-based decisions.
Cyber risk is business risk
Dependence on digital everything is a fact of life. So, when you’re at the helm of an organization, confidence in your digital infrastructure is a paramount business necessity. This became clear during the pandemic when, nearly overnight, 70% of people started working from home.
But the more digital everything becomes, the easier it is for cyber criminals to attack an organization. Intrusion activity has increased fourfold in the last two years, disrupting operations and causing financial and reputational damage. Key executives have also lost their jobs, and Gartner recently predicted that by 2024, 75% of CEOs will be personally liable for cyber-physical security incidents.
Without a doubt, cybersecurity is now considered a critical risk factor, with 70% of board directors viewing cybersecurity as a strategic enterprise risk. Instead of building higher walls or trying to hire your way out of cyber risk in an attempt to eliminate it, which isn’t possible, you need to change your perspective.
Every aspect of your digital infrastructure needs to be viewed through the lens of cyber risk and analyzed with respect to cybersecurity issues, so you can make the right risk mitigation decisions for the business.
Moreover, it’s not just about protecting your organization but being able to capture new opportunities. Initiatives that drive revenue and growth — new products, business models, markets, partnerships, and M&A activity — can also introduce cyber risk. You need to move forward with your eyes wide open so you can manage the tradeoffs between value creation and exposure to cyber risk. Which means being able to see, understand, and manage cyber risk as clearly as any other business risk.
Changing how organizations approach cyber risk
Most business risks — financial, geo-political, compliance, economic, reputational, competitive, operational — are discussed, analyzed, and managed within a comprehensive framework. You need the same approach for cyber so you can trust that you can reliably operate, in alignment with your enterprise risk strategy, and that you’re spending appropriately for your organization.
To date, business leaders that try to understand and manage risk, have been hampered by inadequate solutions. Current cyber risk assessments were never designed for use in the boardroom. Not only are they written for security experts and more technical stakeholders, but they tend to be disconnected from the company’s specific business objectives and corporate strategy.
According to the World Economic Forum, “An evolved cyber risk assessment enables organizations to align its cyber strategy to its business objectives.” Business leaders receive the financial details they need to understand the business impact a specific type of cyber event poses to their operations. These include costs associated with the disruption, recovery, legal fees, and any regulatory fines. Organizations can determine their unique risk appetite for losses resulting from cyber events and prioritize controls and investments designed to reduce the likelihood and overall economic impact of cyber risk. This process, known as cyber risk quantification (CRQ), empowers executives to have informed discussions with security leaders and the board about enterprise risk. Working together, they can proactively balance risk with reward based on their organization’s risk profile as they move the business forward.
That’s where the VisibleRisk Platform comes in. VisibleRisk addresses this market need by providing a holistic view of cyber risk based on industry, company size, geography and a myriad of other internal and external data points. It then puts this risk into business context so that you can make informed risk-based decisions.
With a first of its kind standard for rating and discussing cyber risk across companies and sectors, you can continuously measure and benchmark your organization’s exposure to cyber risk against your peers. The approach is fully transparent, so you understand the rating methodology and factors that determine your cyber rating.
But that’s just the beginning. Because businesses and threat actors don’t stand still, the VisibleRisk Platform also enables executives to track their performance over time in order to improve cyber risk management and governance. This provides a complete picture of the evolving business impact of your cyber risk in financial terms, and ensures your cyber strategy is always aligned with your business objectives.
Ongoing guidance and human expert analysis helps you make informed risk-based decisions by defining your risk appetite and determining a risk-based strategy for your business — will you choose to accept, transfer, or mitigate? Leaders can then standardize boardroom conversations around cyber risk to remain focused on business impact and outcomes.
Visualize cyber risk for better business decisions
Cyber risk is one of the top risks facing businesses today. However, only 17% of organizations say they are realizing the benefits from better quantification of cyber risk.
It’s time that every senior executive understands and manages cyber risk as clearly as any business risk.
Sure, I’m biased, but I can’t think of a better combination than Team8 and Moody’s — through our VisibleRisk joint venture led by Derek Vadala (CEO and former Moody’s CISO and former head of Cyber Risk for Moody’s Rating Agency) and Yigael Berger (GM of Israel and serial entrepreneur) — to equip you with the solution. We’re excited to make the VisibleRisk Platform available to you today.
Originally appeared on Medium