The Bedel Security Blog

Comparing your Cyber Risk Appetite to Motorcycle Racing - WHAT!?!

Written by Chris Bedel | Oct 3, 2017

How do you communicate cyber risk to management and the board at your organization? Has it been effective? Is everyone on the same page from a risk appetite perspective to the point that there is an agreement in both the current state of risk and what is an acceptable level?

If you’re like most banks and credit unions, you may have just chuckled to yourself a little bit. 

It’s an ongoing discussion that there are countless articles on how do you best communicate cyber risk to the board? This was a question that a bank CRO and I were working on a while back when we came to an analogy that seemed to resonate with the management team there. 

SIDE NOTE: Ask anyone I’ve worked with, I’m a huge analogy guy. I think it’s a great way to translate technical concepts in a very inclusive way (see CISO Intangibles: Communication Vlog). And because analogies can include fun examples and less intimidating topics, I’ve often found that they make everyone a bit more relaxed and open to a conversation.

In this case, we used a driving analogy to talk about cyber risk appetite.  By driving, I mean operating a motorized vehicle like a car or motorcycle. The example is pretty simple and everyone understands it enough to join the discussion. It even aligns with the FFIEC CAT, so that’s a bonus.

Inherent Risk Profile = Speed

So what’s the inherent risk profile of your bank? Or maybe the better question is how fast are you currently driving? 

For our analogy, you can think of the inherent risk profile from the CAT to be the speed of your vehicle.  It makes sense, right? The faster you drive in your car, the more risk you take.  You may not have an accident, but if you do, it will be much more damaging to both people and property.  It also means that the faster you go, the more protective measures you need to employ (more on that in a bit).

So you can look at the CAT this way: for every emerging payments solution you offer, the faster you are driving.  With every increased network complexity, comes increased velocity. And if your organization is in constant M&A mode, you are going faster still.

Your communication to the board is this: are you doing 50 mph on a highway in a sedan, or racing at over 200 mph on the streets in a motorbike?

You could also inject your own observations of the CAT rating here. What I mean by that is that the CAT is a great starting point, but it may not entirely capture the risk of your organization. 

We have some clients that rate fairly low when answering the questions on the Inherent Risk Profile, but they know that other circumstances put them in a higher risk category. So you could say something like: “the CAT says we’re at a pretty safe speed, but we think there are some factors that have us moving much faster…”   

Safety Features = Controls

Think about your drive today. What safety features did you use on your way to work? Your car probably has a seat belt, airbags, anti-lock brakes, and possibly more. There are even sensors on the car to tell you if there’s a malfunction that could affect the safety of the vehicle.

Now think about NASCAR; because the speeds (risks) are much higher, there are additional safety features that we don’t use in our day-to-day driving.  The drivers there have helmets, fire suits, 5-point harnesses, roll cages, and improved braking and suspension to handle the speed.

On the other end of the spectrum, what safety features are on a go-cart?  It has brakes and you might wear a helmet.

The point is this, just as the safety features should increase with speed in the automotive world, the same should be happening with your cyber environment. We equip cars with preventative measures to help avoid an accident, detective measures to tell us when something is wrong, and corrective measures that reduce damage when an accident actually occurs.

You need to explain to the board that similar preventative, detective, and corrective measures need to be in place for your cybersecurity program.

Risk Appetite

The real decisions start happening at the risk appetite level, which is basically the intersection of speed and safety.   

You have a low risk appetite when you choose to drive a Volvo and never exceed the speed limit; combining both safety and conservative speeds.  On the other hand, if you're like the guys in the image above, you're racing at over 200 mph with very little protection.  Motorcyle racing requires a very high risk appetite.

And while we could argue about where your bank's risk appetite should be, the most important thing is that your board of directors understand it, set strategy for it, and provide oversight of it.

To do so, your board should be able to answer the following questions:

  • Do we know what speed we are going now?
  • What speed are we comfortable with?
  • Do our safety features align with the speed?
  • Do we understand that even with all the safety features that there is still risk in driving at any speed?
  • Are there any safety features that inhibit us from going as fast as we really want or need to?
    • An example of this would be a speed limiter that is in place on some semi-trucks or restrictor plates on racecars. Does that meet the business objectives?  Or can we look at other controls?

Conclusion

We all know we need to report to the board on cybersecurity. But we need to be working toward a place of discussion and dialogue rather than just a one-sided information dump.  Doing so is critical because your board has the responsibility to know if they are driving 30 mph in a quiet suburb, or if they are running in the Isle of Man TT with only a helmet and race suit protecting them. (Watch this video to see what I mean)

How you do that is up to you, but this analogy might be a good place to start.