By Nandkumar Saravade, Founding CEO, ReBIT

“Without data, you’re just another person with an opinion.” ― W. Edwards Deming

It would be a truism to say that cyber risk is now a primary topic for any boardroom discussion. With the business impact of frequent cyber events like ransomware disruptions, and regulatory push, most boards have passed the awareness stage and are deeply involved in resilience and maturity enhancement. The other day, I was addressing a large group of board members in an online session, and was surprised by the nuances which came through the questions from the audience. One such query was: how can internal audit help the board in providing a better assurance on cyber risk?

As we know, the three lines of defence model has been the key framework for enterprise risk management. Used to establish clear lines of responsibility and accountability, the first line of defence consists of operational management and employees who directly manage risks in their daily activities. The second line involves risk management and compliance functions that provide oversight, guidance, and support to the first line. The third line encompasses internal audit, which independently assesses the effectiveness of risk management and control processes.

This model promotes a systematic approach to risk management, ensuring that risks are identified, assessed, controlled, and monitored in a coordinated manner across the organization’s different levels and functions. Internal audit directly reports to the Audit Committee of the board, and, thus, is expected to exercise independence in its outlook and functioning.

With this backdrop, it becomes essential to have a unified cyber risk measurement and management framework which not only helps the CISO and the management to do the job, but for the internal audit and the boards to be assured that it is indeed being palpably done well.

How the FAIR™ Methodology Equip Your Board to Understand Cyber Risk

Coming back to the question posed to me by a board member, the FAIR™ (Factor Analysis of Information Risk) model, which provides a structured approach to assessing cybersecurity risks in a way that enables better decision-making, can be used by internal audit for following specific aspects.

  1. Risk Assessment: Internal audit can validate at the design stage that identifying assets, threats, vulnerabilities, and potential impacts is done comprehensively.
  2. Quantitative Analysis: Internal audit can apply this approach to test the scenarios of the potential losses associated with different cybersecurity incidents, allowing for a more accurate assessment of risk exposure, and helps identify high-impact events to prioritize mitigation efforts accordingly.
  3. Business Impact Analysis: The FAIR model can help internal audit conduct a business impact analysis of cyber incidents. This involves estimating the financial impact of disruptions to business operations, enabling the organization to better prepare for and respond to cyber events.
  4. Evaluating Control Effectiveness: Internal audit can use the FAIR model to assess the effectiveness of existing cybersecurity controls. By quantifying the reduction in risk that controls provide, internal audit can determine whether the controls are providing the expected level of protection.
  5. Communication with Management and Board: The FAIR model provides a structured and quantitative way to communicate cybersecurity risks to management, the Audit Committee and the board. Internal audit can present audit findings in a clear and meaningful manner, including longitudinal trends and maturity improvements, after establishing a baseline for risk quantification.

It goes without saying that implementing the FAIR model requires expertise in risk analysis and cybersecurity, as well as granular data sources. Internal audit teams will need training or collaboration with professionals experienced in using the FAIR framework effectively. Standardising and automating the activity can yield significant benefits.

While internal audit is an important element in the assurance framework, the board also needs to ensure that the data-driven approach to cyber risk quantification is encoded in the policies of the organisations. The latest version of the Directors’ Handbook on Cyber Risk Oversight from the National Association of Corporate Directors (NACD) captures this in its Principle 5: Cybersecurity Measurement and Reporting. NACD found that cyber risk is still measured with “imprecise scorecards such as “heat maps,” where cyber risk is measured in colors or in high-medium-low terms; security “maturity ratings”; and highly technical data that are out of step with the metric-based reporting that is common for other enterprise risks.”

The Handbook further goes on to recommend that directors should demand more robust reporting on metrics like

  • Value of enterprise digital assets, especially the company’s crown jewels
  • Probability of cyber event occurrence and potential loss magnitude
  • Potential reputational damage and impact on shareholder value
  • Costs of developing and maintaining the cybersecurity program
  • Costs of compliance with regulatory requirements

The Time is Now For Cyber Risk Quantification and Management

The management teams need to tap into specific and granular data feeds for the dynamic parameters – especially loss magnitude – which go into meeting the above expectations, along with varying probabilities of event occurrence. There are too many moving parts to do it the ‘old way.’

As disruptive technologies like Generative AI, Embedded Finance, Digital Twins and Internet of Things transform business strategies and operations, the boards’ ability to understand the full implications and the risks which come with those, become a critical success factor. Methodologies like FAIR and the automated toolkits can go a long way in providing tailwinds for a successful launch and sustenance.