A fundamental shift is occurring in the management of cyber risk. The idea that cyberattacks are increasingly likely—and perhaps inevitable—is beginning to take hold among executives and boards. Business leaders are realizing that we have interconnected our world mostly using technologies designed for sharing information, not protecting it. They recognize that they have to trust people—their own employees and the third parties they do business with—to handle sensitive information and operate critical infrastructure. More and more they see that the intimate connection between their strategic agenda and the creation of cyber risk makes it infeasible for them to lock everything down and always put security first.
As a result, many organizations are beginning to adopt what Deloitte calls a Secure.Vigilant. Resilient.™ approach to cyber risk, which appropriately balances investments in cybersecurity with efforts to develop better threat visibility, and the ability to respond more rapidly and more effectively in the event of a cyber-incident. In order to prioritize properly, organizations should understand the types of cyber risk they face and be able to gauge their relative likelihood. And just as important, they need to understand the business impacts those risks are likely to involve.