Back to the Future: A 2023 Report on Effective Cyber Risk Management

I talk to a lot of companies about cyber risk management vs. cyber security. I seem to get one of two possible responses – the first being a blank stare, the second being whole-hearted agreement but with the caveat that they are just starting on their journey to true cyber risk management.

So even though there are islands of progress in cyber risk management, I think we are on the path to a cyber crisis similar to the financial crisis of 2008. I decided to check if the main lessons learned about risk management after the 2008 financial crisis are applicable to cyber risk as well. That led me to a 2010 OECD report on corporate governance and risk management titled “Corporate Governance and the Financial Crisis: Conclusions and emerging good practices to enhance implementation of the Principles”. Turns out that financial risk management in 2010 was in about in the same state as cyber risk management in 2021.

So here is my imaginary summary of a future 2023 OECD report on cyber risk management. It is after future cyber attacks cause widespread panic – maybe something like a successful version of last week’s attack which targeted the water supply in Oldsmar Florida. In that attack an unknown adversary hacked into the plant remotely and attempted to elevate levels of lye by a factor of more than 100, an act which can cause physical harm to the public. Luckily it was discovered by staff at the plant — they noticed the mouse moving on the screen — and they took action before damage was caused.

In the wake of my imaginary future attack the OECD will report their key findings on effective cyber risk management. In true back to the future fashion I borrowed these from the 2010 OECD report:

1. Effective cyber risk management is not about eliminating risk. It should ensure that risks are understood, managed and, when appropriate, communicated.

2. Effective cyber risk management requires an enterprise-wide approach rather than treating each business unit individually.

3. Effective cyber risk management requires business review and guidance to maintain explicit alignment of corporate strategy with cyber policies (risk-appetite and tolerance).

4. Continuous cyber policy assessment should be the basis for cyber risk operations and metrics.

5. Cyber risk operations must be adequately and explicitly covered by policies that provide a direct line of sight from risk appetite to controls and metrics.

These are all sensible approaches that can be adopted today. Why do we need to wait for a crisis?