Contextualizing Cyber Risk: Mapping Business as a System

By Ken Stasiak


Cyber Risk Metrics Online Article

What would happen if one of your critical lines of business suffered a cyberattack? Would business come to a screeching halt? Board members need to know how their organization plans to manage security risks, but in a 2022 Harvard Business Review survey, only 68 percent of directors said their board “regularly or constantly discussed cybersecurity.”

To close this gap, boards need a better understanding of how business could be impacted by cyberthreats. Articulating business as a system offers the necessary perspective and addresses three of the obstacles that boards face when considering risk: the current cybersecurity landscape, information filtering, and lack of context.

The Current Cybersecurity Landscape

According to the newly released 2022 RSM US Middle Market Business Index Cybersecurity Special Report, of the 402 senior executives polled, 22 percent of middle market executives said their companies experienced a data breach in the past year, down from 28 percent in last year’s survey. Both larger and smaller market organizations also reported a decrease in attacks.

But a reduction in breaches doesn’t mean there is room for complacency. Attacks will continue and smart leaders are preparing to meet those threats. In fact, 72 percent of executives anticipate that unauthorized users will attempt to access data or systems in 2022 and 62 percent believe they are at risk for a ransomware attack in the next 12 months.

The Reality of Information Filtering

Board members depend on information produced and presented by the organization’s leadership team, which may be filtered through several layers of gatekeepers on its way to the quarterly meeting.

While not intentionally incomplete, these snapshots of the business may leave knowledge gaps that impact decision-making. Even well-meaning leaders may not have an accurate read on the organization’s risk profile if information from the information technology teams on the front lines is not clearly communicated. Executives may not know if all purchased solutions have been implemented, whether they are performing as intended, and which challenges remain. This information gap can leave organizations unaware of their actual risk profile. So, while 96 percent of leaders report they are confident in their organization’s efforts to safeguard data, the reality often falls short of expectations.

Lack of Context

Though cybersecurity professionals stay up-to-date on threats, vulnerabilities, and solutions, they usually lack a clear picture of the overall business, its processes, and financial complexities. Questions such as, “If we develop a cybersecurity framework and find gaps in the overall security program, how does that affect the organization overall?” and “Which lines of business are critical to the company’s profitability?” can only be answered if their cyber knowledge is rooted in the context of the overall business.

Evaluating the impact of specific security risks on various lines of business and understanding the implications of a breach across the enterprise require context. The best way to get those insights is by mapping out the business as a system.

Business as a System

At its highest level, mapping business as a system means considering how the organization makes money, identifying the key supporting business processes, and putting into context how cyber risk may affect these critical business process. It is helpful to visualize the flow of the business, and then identify the relevant and contextualized security scope areas that hinder strategy and increase business risk.

Executives need to share a variety of perspectives to chart the business as a system, and the results will offer business-contextualized insights for the board and other decision-makers. Building a map of an organization is a four-phase process:           

  • Phase one: Develop a high-level business process map;

  • Phase two: Complete focused business process decomposition or reengineering;

  • Phase three: Conduct a control framework analysis (following the National Institute of Standards and Technology’s Cybersecurity Framework); and

  • Phase four: Evaluate the enterprise as a system.

Once created, the map illustrates the way processes and risks are interrelated. If a process is responsible for significant revenue, addressing risks to that line of business takes on greater urgency. And as a picture of the enterprise emerges, it is easier to identify the places where processes converge and cybersecurity is of greatest concern.

Connecting the Dots

Even as cyberattacks evolve, the map of the business will guide strategic growth and risk management efforts. With the framework of business as a system, leaders can map a course forward. Board members can ask better questions to the cybersecurity professionals—now that they understand the context—and then connect the dots between vulnerabilities and impact to the bottom line.

Ken Stasiak
Ken Stasiak is principal and cyber testing and response team lead at RSM.