Whether your company is large or small, officers and directors must understand their cyber risks. In a Harvard Business Review article Daniel Dobrygowski and Derek Valada discuss the need for informed decision making on this risk.
Executives and board members need ways to evaluate risks even if they can't grasp technical details. They need holistic assessments that consider technical details, company governance and culture, and the financial impact of a cyber event. They should use these assessments to establish the company's tolerance for cyber risk, define the outcomes they want and have a culture of cyber security and resilience.
A third party cyber risk assessment will tell how well a company is prepared to defend against and recover from cyber attacks. Technical assessments may be enough for a Chief Information Security Officer, but top management and directors need a risk oriented view that considers the financial and business impacts of cyber security or insecurity on their company. Officers and directors need both an inside and outside perspective on how cyber risk fits into the company's overall risks and opportunities.
As with any potential loss, directors and officers must define their company's risk appetite. This includes consideration of customer expectations and peer company approaches. Shareholders and regulators must also be taken into account. Each industry has its own needs and challenges.
Establishing a culture of cyber security and resilience is critical. Technology changes, but culture should be stable. Good management will set proper goals.