The Board of Directors and the Volcano Dilemma: Due Care in the Face of Enterprise Cyberrisk

Recent research states that "[a]ny attempt to ‘predict’ the future is futile, which usually results in executives simply not bothering to determine how various political, regulatory changes or the manifestation of cyber risk (emphasis added) may affect their operations." There are three fundamental flaws in this argument.¹

First, while it may not be possible to anticipate the rock in a pond effect, dropping a rock in one area may have a more visible impact on the pond than dropping the rock elsewhere. Likewise, in the face of increasing geopolitical tensions in developed countries, an increase in cyberoperations are foreseeable and their impact on organizations can be seen in the dynamics of their international business. The emergence of cyberrisk has a ripple effect as large as a rock in a pond, and foregoing any effort to understand its challenges and impacts in the future is a mistake.²

Second, analyzing and articulating the potential impacts of cyberrisk on specific aspects of the enterprise is necessary because it is the only way of influencing business decision-making. Cyberrisk is generally confined to technology issues, which may not have the attention of the board of directors (BOD), the executive committee, or the strategy team. If one only summarizes the impacts of cyberrisk a posteriori, one will not achieve an a priori strategic or budgetary approach.³

Lastly, organizations address the ever-evolving cyberrisk using either quantitative or qualitative data. A quantitative approach interprets data that can be measured in numbers to shed light on an enterprise's specific threats and challenges; while a qualitative approach uses experience and expert judgment to map the impact of such risk on various elements of an enterprise's operations. Focusing involves understanding how the organization operates at different levels and how the surrounding cybercontext is evolving.⁴

The challenge is for enterprise executives to understand how cyberrisk converges with the enterprise’s business. That is, recognizing the dynamics of this risk in the functional development of the organization in areas such as sales and revenue, growth and investment, operations and supply chain, data and intellectual property, human capital, finance and tax, reputation and compliance.⁵ This translates into having an updated cyberrisk panorama and an analysis of the same in its different strategic challenges and business functions in order to raise awareness about the consequences of their emergence and ensure the cyberrisk tolerance defined by the BOD and assured by the executive committee.

Cyberrisk behaves similarly to the volcano dilemma⁶–it is not a matter of whether an organization will have a successful cyberattack, but when and how. Like the volcano, cyberthreats may seem inactive, and then suddenly erupt without warning. This makes it necessary to maintain an active monitoring system, a disaster prevention system (with exercises and simulations), and the technical and professional assistance of local and international support entities according to the level and magnitude of the event that may surface.

Accordingly, BODs must maintain a vigilant attitude that translates into a framework of due care in governance and cyberrisk management. This will allow them not only to maintain an active vigilance with internal and external sensors properly calibrated to forecast future adverse cyber events, but also to have the preparation and maturity to face successful cyberattacks. In other words, management practices and indicators must have an understanding of the business-level impacts and actions needed to address the consequences of cyberattacks on different stakeholders.

Board Awareness and Cyberrisk

Cyberrisk has been gaining prominence globally, and BODs, in their risk surveillance and monitoring exercises, have kept it in focus in an attempt to mitigate potential risk. With that in mind, the question is: How much does the BODs know about this risk? One possible answer can be revealed by the type of board in the organization: direct oversight, long-term value creator, or visionary or transformational.⁷

Traditional boards based on direct supervision are structured and oriented toward accountability, which implies delegating the task of recognition and ascertaining cyberrisk (as operational risk) to management, based on a vision of reporting and validation of controls to comply with regulators’ requirements and deliver the necessary reports that show their commitment to the standards of their sector.

Boards that seek to create long-term value are guided by the enterprise’s strategy and challenge existing positions. These boards understand cyberrisk as a strategic risk, that is, as a risk that significantly affects value for its stakeholders and affects their long-term viability. In this regard, the BOD demands the formulation and monitoring of a corporate cybersecurity program maturity model that responds to stakeholder demands and encourages collaboration and cooperation among the various players within the corporate strategy.

Visionary or transformational boards take risk and co-create the future. They are sensitive to changes in the environment and seek to anticipate geopolitical trends that allow them to build a privileged position now and in the future. Board members seek to balance efficiency with the demand for resilience to ensure the survival of the organization despite environmental uncertainties, instabilities, and incidents that may occur. These boards understand cyberrisk as a business risk and, therefore, assume the commitment to declare and approve their risk appetite and thus ensure the necessary cyber capabilities to complement said statement.

In this regard, it is important to recognize the level of knowledge of the management team to establish the framework required to identify the enterprise’s current challenges in a digital business ecosystem, where uncertainty and instability are the norm in order to consolidate a competitive advantage in the medium and long term. Figure 1 is a basic classification of cyberrisk awareness levels for boards of directors.

From IT Risk to Threats in the Digital Ecosystem

Organizations no longer operate independently inside the business dynamics of their own countries. Now they are in digital business ecosystems, where different participants allow them to leverage their value bets, not only from proprietary ideas that they develop, but together with the capabilities of their strategic allies to generate new experiences for their customers. In this regard, IT (and its known risk) becomes the basis of the organization’s operations and the digital density, represented in the connections generated around physical objects and their data flow between the different participants, the essence of the organization’s value promise that is now situated in the digital ecosystem to which the organization belongs.

The inherent risk of IT is defined in the standards and best practices known to date, which include not only assurance and management strategies, but also extensive and detailed audit guidelines. These guidelines ensure that said risk is kept within the limits established by the business dynamics and the operations of the infrastructure and information systems that complement the business processes. When an incident occurs due to a failure or adverse event that affects the availability of services, business continuity mechanisms and plans are activated to secure the situation. In other words, stop and activate the procedure with the planned activities to restore the operation.

In a digital ecosystem where infrastructure (data storage), applications (data processing), services (data usage), and customers (data generation) interact—including the enterprise and trusted third parties that develop key capabilities to implement digital initiatives—it is necessary to understand the threat dynamics as well as new adversaries who wish to interfere in this ecosystem. The adversaries not only have a predetermined agenda to carry out their destabilization plans and take advantage of this new environment, but also a parallel support ecosystem to achieve their actions, some of which are state-sponsored, while others are supported privately or by their own initiatives.⁸ This new reality reveals the dynamics of cyberrisk as an emerging, disruptive, and systemic risk, which directly impacts the systems or initiatives, and may cause unanticipated consequences for its participants.

BODs must now position business dynamics in an enterprise’s digital ecosystem that links internal enterprise processes with key capabilities contributed by strategic ecosystem allies to produce new opportunities and challenges that make a difference in achieving their key objectives.⁹ This implies defining the risk appetite that the organization seeks and must endeavor, in order to fulfill its value promise, to create the expected digital trust for its customers, giving the organization a strategic position within the digital business ecosystem.

Boards of Directors, Due Care Framework, and Cyberrisk

Although organizations and their boards must define and approve an enterprise risk appetite statement, their executive team must also ensure compliance with this statement. To that end, the board must maintain a three-part scheme of considerations that will allow it to have an active and gauged volcanological observatory to address the natural reality of cyberrisk in the enterprise from the volcano dilemma perspective.

This observatory should be configured with three basic elements: Cyberrisk governance, an assessment of the impacts of a cyberrisk emergence, and actions to assist the different stakeholders after a successful cyberattack. These three components must work in harmony to generate the necessary dynamics within the BOD in a way that highlights the board's commitment to cyberrisk and to ensure its fiduciary duty to shareholders.

The first element of the observatory is governance. This involves having a framework of best practices and managerial and executive-level responsibilities for cyberrisk.¹⁰ It entails establishing a responsible, accountable, consulted, and informed (RACI) matrix at the managerial and executive levels that links all stakeholders and those affected by cyberrisk at the enterprise level. In practical terms, it comprises a person in charge who performs the task or activity, an accountable party who approves the activity and ensures that it is carried out, a consulted person who is associated with the stakeholders involved with the activity who can provide input and feedback, and an informed party such as stakeholders who need to be notified of the progress of the activity.

Figure 2 shows an example of this RACI.

The second element is assessing the impacts of the emergence of a cyberrisk. This involves establishing the connections between this risk and the organizational functions in order to situate and contextualize the consequences of a cyberevent that can be detrimental to how the organization operates to achieve its results.¹¹ In this scenario, cyberrisk is translated as an organizational risk that reveals the possible cascading effects that may occur when a contrary situation emerges in the dynamics of the processes. This understanding of cyberrisk not only appropriately defines an executive view of enterprise risk appetite, but also implies the vigilant and resilient posture that the organization defines and secures to become more resistant to adversaries and their asymmetries.

An example to advance the analysis of impacts can be seen in figure 3.

The third element is the act of monitoring the different stakeholders after a successful cyberattack. These actions must recognize the impacts and the different stakeholders affected to ensure adequate attention to the damages and impacts that may have been generated by the cyberevent. The challenge is to complement the board's due care and due diligence with a proactive and articulate posture in the face of the transpired cyberincident in such a way that the fundamentals of corporate governance and the enterprise’s reputation are taken care of during the tensions that arise in the face of a specific cyberattack.

An example of the actions to be performed can be seen in figure 4.

In summary, it is possible to visualize the framework of due care of the BOD in the face of a cyberrisk as illustrated in figure 5, where the various overlaps between governance, impacts, and actions make it possible to ensure issues such as the reputation of the enterprise, the materiality of the event, and compliance, not only with the requirements of regulators, but also with corporate commitments with its different stakeholders.

Conclusion

Cyberrisk is a business risk and a strategic risk for organizations in the 21^st century, that is, a risk that directly affects the value proposition for its different stakeholders and the company's long-term viability.¹² In this regard, organizations must maintain a vigilant posture of risk that behaves similarly to the dilemma of a volcano, which is not a matter of "if," but "when and how," for which it must maintain a permanent and calculated observatory that allows it to identify and react to the volcano’s conditions in real time.

Board members should quickly learn to understand the internal and external dynamics affecting this volcano, which will seemingly be dormant, but will give permanent signs of its activity amidst the dynamics of business processes and the tensions and trends of the company in the digital business ecosystem where it operates. Whenever there are earthquakes (persistent attacks in one’s business sector), fumaroles (successful attacks in one’s business sector and other industries), and ash fallout (identification of suspicious events in infrastructure and processes), the unified command post should be convened to monitor the status of the volcano and strategically assess the alerts that are raised with local contacts and strategic partners.¹³

Likewise, when reviewing some indicators of the internal dynamics of this geological phenomenon, such as the presence of gases (increase of known vulnerabilities), temperature increase (increase of known unresolved vulnerabilities) and the presence of magma (disclosure of uncertain events in the infrastructure and processes), the monitoring and control committee must be activated so that specialists can interpret these records and ensure the necessary actions to prepare the organization for possible eruptions (adverse cybernetic events) that may occur unexpectedly or uncertainly.¹⁴

By doing so, the board will not only have a proactive and situated position on the company's cyberrisk, but a formal due care framework that handles reputation, compliance, and materiality in the face of possible adverse cyberevents that end up surfacing in the midst of the challenges and dynamics of the organization in its own interactions within its digital business ecosystem and its emerging threats. Thus, the BOD is not only diligent towards the regulators, but also towards the shareholders, ensuring its fiduciary and regulatory duty as part of a specialized collegiate body that guides and defines the enterprise's destinies and challenges in the medium and long term.

REFERENCES

¹ McCaffrey, C. R.; Henisz, W.; et al.; Geostrategy by Design: How to Manage Geopolitical Risk in the New Era of Globalization, Disruption Books, USA, 2024 
² McCaffrey; Geostrategy by Design
³ McCaffrey; Geostrategy by Design
⁴ McCaffrey; Geostrategy by Design
⁵ McCaffrey; Geostrategy by Design
⁶ McCaffrey; Geostrategy by Design
⁷ Bishop, K.; Camm, G.; Board Talk: 18 Crucial Conversations That Count Inside and Outside the Boardroom, Practical Inspiration Publishing, United Kingdom, 2023
⁸ Cano, J.; “The Virtuous Circle of the Adversary: Challenges and Threats for Modern Organizations,” ISACA^® Journal, vol. 3, 2024
⁹ Valdez-de-Leon, O.; “How to Develop a Digital Ecosystem: A Practical Framework,” Technology Innovation Management Review, vol. 9, iss. 8, p. 43-54, August 2019, 
¹⁰ Allen, B.; Bapst, B.; et al.; Building a Cyber Risk Management Program: Evolving Security for the Digital Age, O’ Reilly, USA, 2024
¹¹ Howard, R.; Cybersecurity First Principles: A Reboot of Strategy & Tactics, Hoboken, John Wiley & Sons, USA, 2023
¹² McCaffrey; Geostrategy by Design
¹³ Cano, J.; “Ciberdefensa Basada en Datos. Un Modelo Conceptual Para su Desarrollo e Implementación,” [Data-based cyberdefense. A Conceptual Model for ITs Development And Implementation] SISTEMAS, vol. 170, 2024, p. 49-60
¹⁴ Howard; Cybersecurity First Principles

JEIMY J. CANO M. | PH.D, ED.D, CFE, CICA

Has more than 28 years of experience as an executive, academic, and professional in information security, cybersecurity, forensic computing, digital crime, and IT auditing. He received the ISACA^® Educational Excellence Award in 2023 and in 2016 was named Cybersecurity Educator of the Year for Latin America by the Cybersecurity Excellence Awards. He has published more than 250 articles in a range of journals and has given talks at industry events worldwide.