Business risk and cybersecurity risk. For too long, many executives viewed the two as separate pieces of the operational resilience puzzle. In fact, most overlooked the possibility they could snap together at all, quite simply because those risks come in different shapes, sizes, and complexities.
Traditionally, boards of directors and executives focus on business risk where they often leave the more complicated stuff — that hardware, software, and jargon only “those tech people” understand — to the IT and security teams, basically knocking the cybersecurity piece right off the table and potentially exposing the business to existential risk.
As an MSSP, you have a unique opportunity to help your clients realize a more complete picture of the risk landscape and help them understand that cybersecurity risk is business risk.
Real World, Real Fallout
When C-suites and boards overlook cyber risk, they’re basically playing chicken with their business based on the bet that their defenses might be good enough to stop a breach. Or, they take an out-of-sight, out-of-mind approach: since they’ve not yet had a cyber event, they probably never will.
Those overlooked risks have proven detrimental for many organizations, but maybe nowhere more public and more impactful than with the 2008 financial crisis that still has lingering effects today. While the financial fallout had many causes, as it happened in real-time, it quickly became a game of finger-pointing about what happened and who was responsible.
If one thing became crystal clear, it’s that many at the governance level had their heads in the sand about what was looming, or, at least claimed they lacked insight into what was ahead. And while this incident centered around the financial services industry, that core issue — that boards and C-suites often don’t understand their full risk profile — is relevant across all industries.
The Impact and The Lessons
The New York Department of Financial Services (DFS) and the Securities Exchange Commission (SEC) are among agencies hoping to draw on lessons-learned from the financial crisis to minimize the possibility of another similar event. Part of that includes ensuring boards and executives have more accountability for cybersecurity oversight.
To make that a standard across the industry, DFS is considering proposed changes to its existing Part 500 Cybersecurity Requirements for Financial Services Companies, which establishes a minimum set of standards to reduce cyber risks for the financial services industry.
Among the changes would be enhanced governance requirements that increase board and executive accountability for cybersecurity. For example, the changes would require covered entities to publicly disclose and identify committees and directors in charge of these responsibilities.
But, it’s more than just slapping a name on a dotted line. The standards would also mandate the disclosures include information about their cybersecurity expertise levels.
The standards would also shine a brighter light on organizational cybersecurity posture with additional requirements for disclosure about risk management posture, as well as prompt and public disclosure of events that materially impact that posture.
It’s Just Good Practice
But I’m an MSSP. What does this have to do with me?
Well, first, if any of your clients are in the financial services industry and operate under any of these regulations, now is the time to think about what these proposed changes could mean for the cybersecurity and compliance programs you’re managing. It may also include many of your clients outside financial services but that offer third-party services to DFS-covered entities.
As we have seen with other regulations, such as the many state-specific privacy laws that have arisen in the wake of the California Consumer Privacy Act (CCPA), once a good idea — that works — takes hold, it often spreads like wildfire.
This is one area where you don’t want your clients to realize they’re missing an important risk piece and end up getting burned.
But, more than that, in terms of governance, the DFS standards for boards and executives is best practice. It’s something that can benefit all of your clients, regardless of industry.
Getting By with the Buy
So, what can you do as an MSSP to help your clients gain executive support for their security and compliance programs and increase governance maturity? Here are four ideas:
- Make it an inside job. It’s like Drake says, “Started from the bottom, now we’re here.” If you want to get that cybersecurity and compliance puzzle piece off the floor and back onto the table, you’re going to have to get to the top. How do you do that? Help your clients find an executive sponsor. The executive sponsor should be someone in the C-suite who has a good understanding of the existing cybersecurity and compliance programs, risks, and how they may directly affect business goals and objectives. An executive sponsor can ensure these issues are routinely included as part of discussions about the big picture — business risk. They’ll also play a vital role in ensuring your clients have the tools and resources needed to address those risks.
- Speak their speak. The traditional gap between business risk and cyber risk at the executive level hasn’t been born of apathy. It’s often the result of the two principles speaking completely different languages. When security and compliance speak in terms of vulnerabilities, controls, and frameworks, it may sound like a foreign language to their stakeholders. As an MSSP, you can work with your clients to interpret cyber and compliance risk in a language executives understand. Often, this is quantifying the potential financial impact of what will happen when a cyber event happens (not if). This can help your key stakeholders better align program needs with business goals.
- Close the gap. Among the biggest challenges organizations face today is finding, recruiting and maintaining qualified cybersecurity and compliance professionals. With millions of unfilled roles around the globe, many of your clients, especially small- and mid-sized businesses (SMBs) aren’t going to be able to attract the talent they need. And if they do, it’s likely to come at a cost that some just can’t manage. That’s on top of other related costs racked up for tools and technologies. As an MSSP, you can close that skills and resource gap by doing cyber and compliance program management for your clients. Explain to your clients that partnering with your MSSP can save them time and money, and, maybe more importantly, enhance their programs with qualified professionals they’d likely not be able to recruit on their own. Show them how you have all the people, tools, and technologies they need so they can focus on that bigger governance picture.
- Kiss it. It’s like that old adage, “keep it simple, stupid” (KISS). While there are no stupid questions here, the reality is as an MSSP you have a unique opportunity to help your clients simplify governance, especially if you’re using a SaaS-based GRC tool. By bringing the right GRC platform to the table, you can demonstrate how easy it is to stay up-to-date on the latest cyber and compliance regulatory and framework pieces and even get real-time insight into how well each program meets those requirements. No more walking into meetings with binders and spreadsheets of CVE’s, frameworks, controls, and sub-controls. With the right GRC solution, you can help your clients easily demonstrate to the board what their programs do well, where they have risk, and what could happen if those risks aren’t managed — all in a way that makes sense to everyone involved, regardless of position or hierarchy.
To learn more about how you can empower your clients to meet their cybersecurity obligations in an affordable way, while also growing your business, check out Apptega, the only GRC automation platform purpose-built for MSSPs.