Cyber Risk is a Top Business Risk
Summary:
In 2023, cybersecurity again ranks among the top of all business risks, as it has consistently done for many years.
This theme holds across all of the industry verticals and geographies we serve. It holds true despite company size.
There are a few variations which, when understood, actually contribute even more to the business case for strong cyber posture. We connect those dots to show how the theme is congruent.
This subject is role-specific cybersecurity education for senior decision-makers. We explore the data sources and perspectives that have gotten traction with many of the top leaders with whom we’ve had these discussions.
Connecting the dots in this way points to a clear conclusion: it doesn’t matter if cybersecurity ranks #1. That’s not the point. In multiple studies which survey long lists of enormous risks facing our world and your business, cyber ranks in the single digits and often the top 3-5.
Take a look at the risks it’s stacked up against. Which of those are actionable for you and for your company?
This is only one of multiple factors in the business case for cybersecurity. Might cyber deserve a higher spot among the competing priorities on your agenda?
Choosing Reputable, Applicable Sources
We’re careful to scrutinize our sources.
The Allianz Risk Barometer1 for 2023 covers 20 major risk categories and samples over 2,700 stakeholders globally. Importantly, it provides detail for those willing to look under the hood, which has given many insights that allow our clients to better connect the dots to their specific situation. Unless otherwise cited, the information in this post comes from that source.
Other reports agree cybersecurity is a top risk but often use a much smaller sample size, survey a population with more representation from academia or government which is less focused on business risk, report only based on input from their internal experts, or don’t share underlying detail to allow review of the basis of their conclusions.
Some additional reports we consider include:
World Economic Forum Global Risks Report2
Business stakeholders rank “widespread cybercrime and cyber insecurity” in 4th place in the 2023 report, in comparison to government stakeholders who rank it 9th. The combined result among all stakeholders puts cybersecurity at 8 in the top 10 for both the short term 2-year and long term 10-year scenarios studied by the WEF.
In addition, “cyberattacks on critical infrastructure” ranked 5th of the top “Currently manifesting risks”.
Dun & Bradstreet Quarterly Global Business Report3
Ranked “cyber vulnerabilities” in the top 4 for likelihood, and in the “top ten risk themes”.
The Global Perscpective
Our clients are mostly US-based companies with significant global reach so both domestic and international perspectives factor in their priorities.
“Cyber Incidents” is the # 1 risk globally.
It’s a clear message yet, the easy answer is not always the best one. Averages taken over too large a group blur details which may be more compelling.
The U.S. Perspective and the Connection to Business Interruption
In the U.S., cyber incidents are # 2 behind business interruption at # 1.
Things get more interesting, however, when we look closer at the most feared causes of “Business Interruption”. Here we find the # 1 factor is “Cyber Incidents” by a wide margin.
As a practical matter then, whether cyber is # 1 globally or # 2 in the US, when the influence of business interruption is included, the importance of cyber risk only increases.
Industry Vertical Perspective
Manufacturing data has the same top two risks as U.S. business in general, so the discussion of business interruption applies here as well.
What’s different is that the other risks in the top 5 or 10 often make more sense to our clients in that industry. This reality check is important when we ask senior leaders to consider whether report data might inform their own decisions.
The Allianz report offers perspective on a number of other verticals. Industries for which cyber incidents are either # 1 or # 2 behind business interruption include:
- Financial Services (n=865)
- Professional Services, including legal (n=78)
- Food and Beverage – manufacturing and supply (n=27)
- Technology (n=60)
Of the segments in the Allianz report which don’t appear on the above list, we’d like to comment on Aviation/Aerospace/Defense because it is significant to our client base. Cyber incidents rank as # 3 for this vertical, confirming our overall thesis that cybersecurity “makes the short list”. That said, all the other risks reported are so different from the manufacturing profile and from the U.S. business profile that we had to look at why that might be. We note the sample size for this vertical is 67, about half the sample size for manufacturing (n=127); that could throw off the result. We leave it to decision makers in this space to decide which data best represents their landscape.
Small and Medium Businesses
Small and medium businesses (SMB) are in the crosshairs of cyberattacks especially as they are often the less defended opening for criminals to access a larger prize in the supply chain.
Does business size change the trend? The short answer is no. There is no SMB difference.
What’s actionable?
- Connecting the dots points to a clear theme. It doesn’t matter if cybersecurity ranks # 1. That’s not the point. In multiple studies which survey 20+ enormous risks facing our world and your business, cyber ranks in the single digits and often the top 3-5. We learned long ago to pick our fights.
- We learned long ago to pick our fights. We guide our clients in picking theirs. This is only one of multiple factors in the business case for cybersecurity. This is only one of multiple of factors in the business case for cybersecurity. Might cyber deserve a higher spot among the competing priorities on your agenda?
How can Securithink help?
- We provide role-specific support to our clients to help sort out competing priorities and develop your strategic roadmap; we don’t want to build a ten-dollar fence around a five-dollar horse. C-suite executives, asset owners, and Fortune 500 Board of Directors engage readily with our business case for cybersecurity, of which this post is a small sample
- Step Zero™ is a unique cybersecurity tool for business decision makers; it shifts the cyber readiness cost estimate left, making a data-driven Go/No-Go investment decision possible in days rather than weeks or months. Given cybersecurity is one of the top risks in many businesses, getting a cost estimate with a verified level of accuracy before there are significant sunk costs for a gap analysis is becoming critical especially for business decisions related to regulation or contractual compliance as well as in Mergers and Acquisitions (M&A) deals.
- The single biggest point of failure is execution. SecuriThink practitioners know what done looks like. Let us make getting there easier for you
- Sign up to be notified of new SecuriThink Field Notes for more posts like this on the evolving business case for cybersecurity
- Engage in a discussion on this topic at the relevant LinkedIn post here: https://www.linkedin.com/in/lindarust/
- We invite you to contact us to explore how we might support your unique challenges
About the authors
Mike Warner was for 12 years the Chief Information Security Officer (CISO) at Oshkosh Corporation, a Fortune 500 critical infrastructure enterprise with $8 Billion in revenue, and 15,000 team members at 150 global locations. Having started from greenfield, the security program matured under Mike’s leadership into a program that won multiple awards from the U.S. Department of Defense and was ranked in the top 10% worldwide.
Linda Rust met Mike in year 2 of the journey described above and spent the next 10 years as an external advisor to him, guiding effective execution, facilitating the strategic roadmap, and providing support for the Board of Directors and C-suite asset owners.
Sources:
- Allianz Risk Barometer 2023 (n=2,700 Allianz customer businesses, brokers, industry trade organizations, risk consultants, underwriters, senior managers, claims experts, and risk management professionals) https://www.allianz.com/en/press/news/studies/230117_Allianz-Risk-Barometer-2023.html
- World Economic Forum Global Risks Report 2023 in partnership with Marsh McLennan and Zurich Insurance Group (n=1,200 experts across academia, business, government, the international community, and civil society) https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf
- Dun & Bradstreet Quarterly Global Business Risk Report https://www.dnb.com/perspectives/finance-credit-risk/quarterly-global-business-risk-report.html
- Photography credit: Pixabay user Angles04 https://pixabay.com/photos/panorama-alps-europe-mountains-3725657/