Boards

Sizing Up Your Cyberrisks

Focus first on the threats to your key activities—not on the technology itself.

by

Thomas J. Parenty

and

Jack J. Domet

by

Thomas J. Parenty

and

Jack J. Domet

From the Magazine (November–December 2019) · Long read

Kotryna Zukauskaite

Summary.

Every year the damage done by cyberbreaches seems to grow bigger. It looks as if hackers just keep getting more effective. But cybersecurity experts Parenty and Domet think there’s another reason companies aren’t successful at thwarting cyberattacks: They don’t truly understand their cyberrisks, because they focus only on their technological vulnerabilities and relegate responsibility for managing threats entirely to security and IT staff. And because of that, they don’t muster the right defenses.

A better approach involves getting input from a broad range of employees and, especially, board members and company leaders. It starts with identifying the company’s critical business activities and the risks to them. Instead of asking how your computer systems could be attacked, for instance, ask how an attack could disrupt your supply chain, expose your trade secrets, or make you fail to meet your key obligations. Next, inventory the systems supporting those activities, examine their vulnerabilities, and identify potential attackers.

This information, which should be gathered into a cyberthreat narrative for each activity, will allow you to plan, prioritize, and make more-targeted cybersecurity investments.

Idea in Brief

The Challenge

Despite the billions spent on cybersecurity, the damage done by breaches keeps growing—to a large extent because companies don’t recognize or understand their critical cyberrisks.

The Old Approach

Too many firms focus only on technological vulnerabilities. Responsibility for cybersecurity then defaults to IT specialists, yielding an ill-prioritized list of possible attacks. Tech jargon dominates discussions of risk, and senior leaders and boards can’t participate meaningfully in them.

A Better Way

A more fruitful approach is to identify your critical business activities, the risks to them, the systems supporting them, those systems’ vulnerabilities, and potential attackers. Leaders and staff throughout the firm can participate in this process, and overall responsibility for cybersecurity shifts to senior executives and boards.

Over the past decade the costs and consequences of cyberbreaches have grown alarmingly. The total financial and economic losses from the 2017 WannaCry attack, for instance, were estimated to reach $8 billion. In 2018 Marriott discovered that a breach of its Starwood subsidiary’s reservation system had potentially exposed the personal and credit-card information of 500 million guests. Hackers seem to keep getting more effective. But in our experience as consultants to clients across the globe, we’ve found another reason that companies are so susceptible to threats from hacking: They don’t know or understand their critical cyberrisks, because they’re too focused on their technological vulnerabilities.

A version of this article appeared in the November–December 2019 issue of Harvard Business Review.

TP

Thomas J. Parenty is an international cybersecurity expert who has worked at the National Security Agency and advised other organizations across the globe. He is a cofounder of the cybersecurity firm Archefact Group and a coauthor of A Leader’s Guide to Cybersecurity (Harvard Business Review Press, 2019).
JD

Jack J. Domet is a management expert who focuses on helping multinational corporations adapt to shifts in technology, globalization, and consumerism. He is a cofounder of the cybersecurity firm Archefact Group and a coauthor of A Leader’s Guide to Cybersecurity (Harvard Business Review Press, 2019).

Sizing Up Your Cyberrisks

Idea in Brief

The Challenge

The Old Approach

A Better Way

Partner Center

Explore HBR

HBR Store

About HBR

Manage My Account

Follow HBR