Culture changes to achieve digital risk insights

The frequency and persistence of cybersecurity incidents are creating a growing recognition of their inevitability and potential damage for every sector of the economy. Furthermore, the growing reliance on digital systems and AI is vastly expanding digital opportunities and risks. A trending response calls for enterprises to become more resilient, which entails developing the capability to minimize damage and rapidly recover from cybersecurity incidents. The concept is simple, but its implementation is not. Achieving true resilience requires understanding the evolution of cybersecurity, where it stands today and how it needs to change.

Cybersecurity started with defensive measures that react to cyber incidents and, despite today’s pervasive threats, remains largely siloed as a misunderstood technical IT function within many enterprises. Relatively little attention is devoted to designing and building strong operating systems and business processes and reevaluating them as digital systems change. Adding cybersecurity to weak systems is like putting fingers in a poorly constructed dyke. At some point, we run out of fingers. Protecting weak systems is unsustainable. Defensive cybersecurity measures are important but insufficient to achieve robust cybersecurity and meaningful resiliency.

The bottom line is that resilience is not a capability which can be bolted onto existing legacy systems. Resilience requires a paradigm shift in the culture of how digital risks and opportunities are understood and dealt with and how systems are designed and operated. Context and the relative importance of business processes and assets are crucial to enterprise protection, which begins with the board of directors.

Boards need to commit to developing a shared, contextual and holistic understanding with the management team of the systems that make up every enterprise. At RSM, we refer to this as the “enterprise-as-a-system (EAS),” a web of IT elements (applications, servers, databases, hosted solutions) and physical elements which comprise and enable your organization, including the people that operate them. The EAS is a business-level understanding of how systems and business processes are designed to operate and interact—not a technical one.

EAS is a table-stakes strategy for creating enterprise-wide resilience to survive and compete in the increasingly complex digital world. The EAS governance approach is comprised of three elements: education, organization and culture. Two previous articles summarized below dealt with education and organization. This article addresses culture. 

1) Educate the board, management and employees on developing a shared understanding of the EAS and its related digital risks.

• Define, analyze and improve the EAS, starting with a high-level business process map describing the relative importance of system elements and how they interact.
• Identify, prioritize and address risks to the EAS within the context of a risk appetite statement.
• Assess and modify risk detection and protection capabilities.
• Prepare for EAS incidents by predicting digital risk outcomes. Modify procedures accordingly.
• Practice incident response, disclosure and recovery (RDR) procedures.
• Require board reporting within the context of the EAS and the company’s cybersecurity framework.
• Establish continuous communications between the board and management.
• Reanalyze the EAS periodically and when major events and changes to digital systems occur.

2) Organize the board and management team for optimal governance and management.

• Add cybersecurity expertise to the board.
• Develop a cybersecurity and AI framework integrated with enterprise risk management.
• Create and review the adequacy of policies and procedures developed within the frameworks.
• Create a risk appetite statement.
• Make cybersecurity spending decisions using capital rationing.
• Evaluate the efficacy of the management team and outside advisors.

Establishing an enterprise culture that sustains risk mitigation efforts and protects against evolving digital risks

The “educate” and “organize” elements of the EAS set the stage for creating a “culture” of digital risk in which all stakeholders bear responsibility for digital tools and protecting the enterprise against cyberattacks and incidents.

Understanding the potential consequences of digital risk is key to developing a culture which embodies resiliency. Typical cybersecurity reporting to the board and C-suite deals with compliance, penetration testing, heat maps, dashboards, etc. Although important, this is a defensive approach and does not address the relative importance of potential outcomes and consequences. Adding a consequential perspective provides a vital holistic view of the potential damage to the enterprise. Without context, defensive information by itself is akin to expecting the board to look at the instruments in the cockpit of a jumbo jet and asking them to take off and fly.

Effective and timely resilience requires the boards and management teams to meet in the middle to develop a shared understanding of the systemic risk to the enterprise posed by digital systems.

Key board actions to create a resilient digital risk culture include:

Bringing it together

Resiliency for rapid response and recovery from digital incidents begins with a better understanding of the systems and processes the boards and management teams are tasked with governing and managing. Achieving this goal requires a commitment to educational, organizational and cultural changes to deal with the complex tools needed to compete in today’s digital world.

There are no shortcuts for resiliency or check-the-box solutions for digital risk.