Cyber risk
This blog post was written by Mark Wearden, an experienced NED, a nationally recognised authority on corporate governance, a prolific author, and an outstanding trainer and mentor.
What do we mean by ‘cyber’?
The word ‘cyber’ refers to anything related to computers, computer networks, robotics or the increasingly important topic of virtual reality. The origin of the word is in the word ‘cybernetics’ which describes the academic discipline of studying the way in which electronic machines and human brains work, and the development of machines that attempt to behave and think like the human brain.
Just stop for a moment and think about what this really means, from a sceptical perspective. We are discussing one or more human beings attempting or managing to recreate, through electronic circuitry, the way in which they believe a particular problem should be resolved, or task undertaken.
Is this the right way? Who knows, that is a matter of personal judgment. However, once a simple circuit is formed and a cyber task is programmed this can and usually will be carried out in an uncompromised and unyielding manner, with no human deviance or irrationality, and no room for learning.
Once we evolve from this preconceived and absolute programming method, which captures the intention of the programmer(s) we enter the world of Artificial Intelligence (AI) where we are then subjected to not just the absolutism of the programmer(s) but also their interpretation of how to predict options and decision-making, but again still based around their biases.
A 2018 book “Prediction Machines”[1] suggested that the complexity and hype surrounding AI needs revisiting (perhaps sceptically) from the viewpoint of simple (cheap) prediction. The authors suggest that the ‘intelligence’ of AI is no more than prediction which is using the speed and power of advanced data processing to exponentially increase the range of data from which a prediction is made.
They comment that a computer that can recognise a picture of a cat, as a cat, does not mean that the computer can recognise a cat, but that the detail and volume of cat images that it has retained (against the title ‘cat’) lead it to predict that the image it is reviewing is most likely to be that of a cat.
Take that logic into the medical use of computers, or at a less life threatening level the use of computers in financial modelling, accountancy and audit. Human irrationality and scepticism have not yet been replaced by cybernetics, so there is an implicit need for the humans using the cybernetics to add that sceptical dimension.
Cyber risk
The risks that we therefore face from the cyber world are wide and varied. Financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems; this might include:
- Deliberate and unauthorised breaches of security
- Unintentional or accidental breaches of security
- Poor systems integrity or related factors
In many respects cyber risk is no different to, and should be treated no differently to, other organisational risks.
- The concept of ‘risk’ refers to a range of understandable and quantifiable outcomes.
- This is often confused with the concept of ‘uncertainty’ which suggests that although we can perceive a variety of outcomes, they are not quantifiable.
This might suggest that much of cyber risk is exactly that – uncertainty – although we should have some cognisance of the range of potential outcomes from a pre-programmed set of cyber instructions.
When we begin to explore and challenge our understanding and awareness of cyber risk, we will find that we are surrounded by the unknown unknowns, our lack of real understanding means that we are in reality dealing with uncertainty. We therefore need to expand and challenge a breadth of risk and uncertainty considerations which are caused by a number of diverse drivers. I am suggesting below a range of non-explicit, non-exclusive questions which might be asked in this regard:
Lack of appropriate structure
- Does our IT structure reflect the size and complexity of our organisation?
Lack of data and information clarity
- Do we have enough data, information and clarity to enable us to understand the risk?
Lack of consistent, timely data and information
- How and when do we receive our data and information, is it in time for us to challenge and consider before having to make a decision?
The data itself
- What are the controls around the collection, storage and use of data?
Activities which surround the data
- Who has access to the data and who do we trust?
The systems infrastructure
- How robust is our IT infrastructure, what can cause it to fail, how reliant are we upon it?
The applications themselves
- Who has written the software applications, do we trust them, absolutely?
Accountabilities
- Who is accountable for the regular monitoring and oversight of our cyber environment?
Supply-chain impact
- When did we last consider the IT environments of our supply-chain, our suppliers, our customers, our other stakeholders? How can and do they impact upon our cyber risk, and how can and do we impact upon their cyber risk?
The extent of the problem
- Have we ever seriously reviewed the length, breadth and depth of the potential cyber risks that we face?
A breadth of reputational damage
- Do we ever consider our reputational damage and that of others as a result of cyber risk?
We need to determine our own role within this environment. We cannot ignore the need for our involvement. The nature of being a business owner/director/manager/professional/etc requires us to be concerned with, and challenge, risk. We must have a key role to play in the sceptical challenge of the ever-increasing risks from today’s technological world.
To take a structured approach to help challenge and inform your view of cyber risk, and that of your organisation, I suggest using the six question words to provide a breadth and depth of thinking.
[1] Agrawal A., Gans J., Goldfarb A., (2018) Prediction Machines, Harvard Business press
Each of us, and each business organisation, have to take responsibility for ensuring that we develop an appropriate, challenging and sceptical approach to the cyber risks that surround us.
Cyber-ignorance is no defence, and cyber-denial is not an option in 2023.
The Boardroom Effectiveness Company offers a wide range of training, coaching and consultancy services aimed at helping boards be more effective. Take a look at our full range of services or give us a call on 01582 463465 – we’re always happy to help.
