Sizing Up Your Cyberrisks

From the November-December 2019 issue of Harvard Business Review

by Thomas J. Parenty and Jack J. Domet

Over the past decade the costs and consequences of cyberbreaches have grown alarmingly. The total financial and economic losses from the 2017 WannaCry attack, for instance, were estimated to reach $8 billion. In 2018 Marriott discovered that a breach of its Starwood subsidiary’s reservation system had potentially exposed the personal and credit-card information of 500 million guests. Hackers seem to keep getting more effective. But in our experience as consultants to clients across the globe, we’ve found another reason that companies are so susceptible to threats from hacking: They don’t know or understand their critical cyberrisks, because they’re too focused on their technological vulnerabilities.

When cybersecurity efforts address only technology, the result is company leaders who are poorly informed and organizations that are poorly protected. Discussions of cyberthreats end up being filled with specialized tech jargon, and senior executives can’t participate meaningfully in them. The responsibility for addressing risks then gets relegated entirely to cybersecurity and IT staff, whose attention falls mainly on corporate computer systems. The outcome tends to be a long, ill-prioritized list of mitigation tasks. Since no company has the resources to fix every cybersecurity problem, important threats can go unaddressed.

A more fruitful approach is to adopt the view that cybersecurity should focus more on threats’ potential impact on a business’s activities. Say you’re an executive at a chemical company. Instead of asking what cyberattacks might be possible on your computer systems, ask, How could a cyberattack disrupt your supply chain? Or expose your trade secrets? Or make you fail to meet your contractual obligations? Or cause a threat to humanity? That adjustment might seem minor, but when leaders start with crucial activities, they can better prioritize the development of cyberdefenses.

A CEO we worked with, Richard Lancaster of CLP, Asia’s third-largest electricity provider, described the shift in mindset this way: “Initially, we viewed cyberrisks primarily as an IT issue. Over time we realized that what was really vulnerable was our electric grid and generating plants. Now we recognize that cyberrisk is really business risk—and my job as CEO is to manage business risk.” With this perspective, responsibility shifts from IT to senior executives and boards, who must take an active role and ensure that cybersecurity teams focus on the right threats.

Attacks aren’t always sophisticated or technically complex.

To help companies organize and share the relevant information with a wide audience, we’ve developed a tool we call a cyberthreat narrative. It addresses the four parts of the story of a potential cyberattack: a key business activity and the risks to it; the systems that support that activity; the potential types of attacks and possible consequences; and the adversaries most likely to carry attacks out. Outlining details about all four will help companies recognize and prioritize their risks and prepare remedial actions.