Defining your cyber security risk appetite
What is cyber risk appetite?
Broadly speaking, risk appetite is the level of risk that an organisation is prepared to take on in order to achieve its objectives. Therefore, cyber risk appetite is much the same, but specific to cyber-related hazards – for example, maintaining the confidentiality of customer data.
A cyber security risk appetite statement is a series of phrases, paragraphs or pages (depending on the business) that outline your organisation’s attitude to this type of risk, including:
- How this information relates to your organisation’s missions and values.
- Why this information is important.
- How people should act in order to protect this information. We will cover cyber security risk statement examples later in this article.
Understand your risks
In order to write your cyber security risk statement, you must first understand four key points:
- What risks is your organisation exposed to?
- What are your security priorities?
- What risks must your company be immune to?
- What risks are acceptable?
Every organisation is exposed to different risks. Take time to identify your market areas, compliance regulatory environments, collected customer data, security access levels and so on, to determine in which areas your organisation may be at risk.
Next, you must understand, in the event of a breach, what losses would be unacceptable? What can your organisation live with? Could a breach cause harm? Could information be misused? If so, can your organisation shoulder those consequences or would they be catastrophic? Answering all of these questions will help you sort risk into different categories based on security priorities and predicted damage. From here, you can figure out which areas are most and least important to feature in your risk statement.
Who should have a seat at this table?
Writing a cyber security risk appetite statement should involve every department to some degree.
Why? Because everyone in your organisation can impact cyber security. This is not solely an IT problem. While you may request that your CISO champion this initiative, every single person in a company can impact its security – whether intentionally or unintentionally – through their work habits, knowledge of risk, security training (or lack thereof) and so on.
Individuals that could head your risk statement initiative:
- CISO
- CIO
- CTO
- Chief Risk Officer
- Any other relevant IT or cyber security leader
Other individuals that you should consult during the creation of the cyber risk statement:
- The board
- Executive leaders and senior managers
- Major shareholders or investors
- Partners and suppliers
- Legal and financial advisors
- Users of any relevant system or data (i.e. potentially all employees)
Writing your cyber risk statement
Now that you understand the purpose of a cyber security risk statement, and broadly what risks your organisation may face, we can begin to collect them into our statement.
Clearly define the risks that your organisation cares about
First we must bring together the information brainstormed in the previous section of this article. When we talked about understanding risk, we asked a lot of questions about acceptable and unacceptable damage. You must ask these questions to each relevant stakeholder – this can help you build a singular risk management bible that reflects the requirements of each affected department.
When you have created this list, portion it off into different priorities and sections based on your attitude to risks in those areas. You may also wish to consider classifying risk into different business areas to better prioritize key systems, such as:
- Mission-critical internal business systems.
- Systems which could affect health and well-being.
- Databases of sensitive information.
- Mission-critical external business systems.
- Core infrastructure and partner portals.
Determine what can be done to mitigate risks
With this list of priorities, now you can brainstorm what is required to meet your risk appetite. Your statement does not have to list out specific security protocols, but should make clear statements on what your organisation expects from stakeholders with regards to securing the business.
This may require a degree of cultural transformation, and indeed a great many cyber security initiatives require significant top-to-bottom change in order to achieve success.
You see, daily life at your organisation must have security at its heart – and these levels of security are defined by your risk statement. Management and governance processes must integrate cyber resilience so that all processes, systems and tools reflect your appetite for risk. Then, education and training can fill the gaps by mitigating the chance that stakeholders will contribute to a breach of security through their daily habits.
Prepare to revisit this statement again
Lastly, you must be prepared to revisit this risk appetite statement again and again. Much like how technology always evolves, so too must your policy towards cyber security. Consider it an ongoing process, and build in re-evaluation from the start; set a timeline or triggering event that determines when your cyber champion and relevant stakeholders will discuss again your organisation’s cyber risk appetite, to see what has evolved and what may require updating.
Examples of cyber security risk appetite statements
Below we have two examples of risk statements regarding cyber security. When constructing your own, we advise that you do not copy these closely, as we have invented them for the purposes of example only. Your risk appetite statement should be original, crafted specifically for your organisation in consultation with key stakeholders, and signed off by the board (and any other regulatory authority that provides oversight over your operations).
Example 1: A broad organisation-wide statement that covers a variety of risk areas:
“Our organisation faces a broad range of risks reflecting its responsibilities as a major trusted retail organisation across Germany. We take our important position seriously with regards to the safety of our customers and staff regarding their personal and financial information, as well as our intellectual property, and the safe and ongoing operation of our systems. Our organisation considers all risks regarding customer safety and satisfaction to be unacceptable. We make resources available to control operational risks, and foster a culture of education, sharing and honesty to build a culture of risk awareness. We recognise that it is not possible to eliminate some of the risks inherent in our sector, however we do not accept that we can do nothing about these. We use risk to foster innovation and efficiencies within our business.”
Example 2: A more specific example of a risk statement for a company protecting customer data:
“We promote a culture of diligence and high ethical standards with regards to the collection of our clients’ personal information. We aim for a high level of safety through education, training, and the open sharing of skills, experiences and information. We encourage a culture of risk awareness and the constructive challenging of decisions, and follow sound data protection principles. We comply with internal and government policies, regulations and procedures, and respect their spirit. All individuals, including our partners and suppliers, are expected to contribute to and promote this culture of safety and awareness.”
About dig8ital
At dig8ital, we understand what it takes to help organisations secure their properties against cyber threats. We work with executives, senior leaders and their teams to transform companies using a variety of key guiding principles – including prioritising critical assets and risks, mitigating cyber risk, improving processes, developing strong cyber risk cultures, and embracing modern solutions such as AI and automation. The road to better cyber security culture starts with a first step. Contact us today for a a free consultation to find out how we can help you.