Donald E. Hester
- Nov 20, 2023
- 7 min read

Part 2 - Looking at Non-Traditional Cyber Risks

Things to Put into Your Risk Registry: Part 2, Looking at Non-Traditional Cyber Risks

Welcome back to the second part of our journey into the world of cyber risk management and building an effective cyber risk registry. In our previous post, we delved into the fundamental concepts of creating a risk registry, emphasizing the importance of capturing data for analytics, process automation, and seamless integration. We also discussed the pivotal shift from spreadsheet-based methods to the versatility of a relational database.

Today, we're delving even deeper. In this blog, our focus shifts to exploring the specific risk entries that are often overlooked but wield a substantial impact on your organization. These are the underappreciated risks that can quietly shape the course of your risk management strategies.

The key to unlocking the full potential of your risk registry lies in meticulous documentation and assessment. No risk is too insignificant to document; even those deemed low-risk and low-impact can hold hidden complexities that deserve attention. Additionally, non-traditional risks, the ones that defy conventional categorization, should not be overlooked. What's more, it's essential to ensure that various categories of cybersecurity risks are diligently aligned with your enterprise objectives. This alignment ensures that your risk management strategies are not isolated but rather interconnected with your organization's overarching goals.

As we explore these often-missed yet crucial components to enrich your risk registry, consider how you can adapt these insights into your own risk management journey. You can use the write-ups in this blog as descriptions within your risk registry or rephrase them to align with the specific tone and objectives of your registry. We aim to empower you with the knowledge and tools to fortify your risk management practices and enhance your organization's overall resilience.

So, without further ado, let's embark on this exploration of vital risk entries that can redefine the way you approach risk management. Your journey to a more robust risk registry continues here in Part 2.

1.) Budget Cuts

When budget cuts loom, it's tempting to take an equal percentage off all departments. However, this seemingly fair approach can leave your organization exposed to risks. Instead, budget cuts should be based on risk assessments tied to each department's critical functions and overall mission.

This might sound like a daunting task, but can we really afford to ignore it? Executive decisions, especially around budget, must be risk-informed. Otherwise, an across-the-board cut that seems "fair" could severely impact the organization's critical functions and missions.

To make sound risk-based decisions, consider linking every line item in the budget with associated risks. This way, you'll understand the impact of cuts across the board.

Summary

When budget cuts are made without considering the associated risks, it can leave the organization vulnerable.
Instead of implementing across-the-board cuts, budget cuts should be based on risk assessments tied to critical functions and missions of each department.
Linking every line item in the budget with associated risks can provide a comprehensive understanding of the impact of the cuts.

Mitigation Strategies:

Incorporate enterprise risk management into the budget cycle.
Follow the COSO framework for effective risk management.

2.) Uniformed Executive Decisions

It's a common challenge in the world of risk management – most executives, whether in local government or other sectors, often lack specialized training in cybersecurity risk or enterprise risk. These areas are frequently perceived as matters of compliance, rather than integral business decision tools or processes.

The dilemma is clear: how can executives make informed decisions without a comprehensive understanding of the risks and their potential impact on the organization? Every decision, whether it pertains to finances, operations, or strategic planning, carries implications for risk. Some effects may be negligible, while others could prove substantial and even significant.

To address this issue, organizations must consider two critical mitigations:

Cultural Risk Awareness: Cultivating a culture of risk awareness throughout the organization, ensuring that executives and the C-suite are well-informed about the various risks that may affect their decisions.
Risk Response Training: Providing training and guidance to the C-suite on how to seamlessly integrate risk considerations into their decision-making processes, enabling them to make more informed and risk-informed choices.

By implementing these mitigations, organizations can bridge the knowledge gap among executives and enhance their capacity to make decisions that consider and mitigate potential risks effectively.

Summary

Executives often lack training on cyber risk or enterprise risk management.
To make informed decisions, executives need to understand the risks and potential impacts on critical functions, missions, stakeholders, customers, shareholders, etc.
Cultural risk awareness and risk response training can help executives integrate risk into their decision-making processes.

Mitigation Strategies:

Increase cultural risk awareness among executives.
Provide risk response training to the c-suite.

3.) Federal Shutdown

The mere prospect of a federal government shutdown is a clarion call to bad actors in the cybersecurity realm. They're well aware that such an event can unveil new vulnerabilities, making it imperative for the government to have a robust damage control plan in place.

The repercussions of a federal government shutdown are far-reaching, extending across all sectors. It's a domino effect that disrupts the intricate web of government services, impacting not only the 2.2 million federal employees who may go without pay but also sending shockwaves through the broader economy.

Yet, it doesn't end there. Vital services provided by agencies like the Cybersecurity and Infrastructure Security Agency (CISA) are also in the line of fire. These services play a pivotal role in the cybersecurity industry, supporting local governments and critical infrastructure stakeholders in fortifying their cyber defenses.

To counteract these risks, it's imperative to have a well-defined plan for mitigating the vulnerabilities that may arise during a federal shutdown. Equally important is taking proactive steps, such as communicating with congressional representatives and state senators, advocating for measures that hold decision-makers accountable for timely budget passage. A law to this effect would serve as a crucial safeguard, protecting the nation's cybersecurity interests even in times of political turbulence.

Summary

A federal government shutdown can lead to increased vulnerabilities and exploitation by bad actors.
The impact of a shutdown extends beyond the government sector, affecting various industries and the economy as a whole.
Vital services provided by agencies like CISA may be disrupted, impacting the cybersecurity industry and critical infrastructure stakeholders.

Mitigation Strategy:

Develop a plan to mitigate the increased risks during a government shutdown.
Advocate for laws that hold congressional representatives and state senators accountable for timely budget passing.

4.) Loss of Talent Due to Bad Bosses

In a job market where cybersecurity skills are already in short supply, the departure of talent can significantly impact both long-term retention and short-term performance. Such an exodus exposes organizations to heightened cybersecurity risk.

It's often said that people don't leave jobs; they leave their bosses. While this statement might not be entirely accurate, it certainly carries a grain of truth, making it a notion to treat with utmost seriousness.

Bad bosses can manifest in various forms. Some may press employees to compromise their ethical and legal standards, while others display reprehensible behavior toward their subordinates. Bias, whether rooted in race, gender, sexual orientation, religion, or age, is another detrimental trait that can emerge. A lack of interest in an employee's career can also speak volumes about a boss's leadership style. When bosses genuinely care about their employees, it fosters loyalty to both the boss and the organization, reducing the likelihood of staff departures.

In the context of cybersecurity, this issue becomes a critical factor affecting the retention of cyber talent. The presence of a bad boss significantly raises the odds of employees seeking opportunities elsewhere. This departure not only impacts an organization's ability to recruit top talent but also poses challenges in retaining the talent it already possesses.

In response to this challenge, several mitigations can be considered:

360-Degree Reviews: Implementing a 360-degree review process can lead to improved performance assessments, particularly for those in managerial positions.
Workplace Culture: Prioritize the cultivation of an open and inclusive workplace culture, where every individual feels valued and knows they are making a difference.
Whistleblower Provisions: Establish mechanisms to address issues related to bad bosses, including provisions for whistleblowers to report misconduct without fear of retaliation. Holding managers and supervisors accountable for their actions is essential.

To better understand the phenomenon of employees leaving managers, not companies, and to explore potential solutions, the article "Why People Leave Managers Not Companies (And 5 Things You Can Do About It)" offers valuable insights.

Summary

Losing cyber talent due to bad bosses can negatively impact an organization's long-term retention and performance.
Bad bosses can exhibit unethical behavior, bias, lack of interest in employees' careers, or create a hostile work environment.
Addressing bad bosses is crucial for reducing the likelihood of talented staff leaving and impacting recruitment and retention efforts.

Mitigation Strategy:

Implement 360 reviews to provide feedback and improve performance management.
Foster a workplace culture that promotes inclusivity and values employees' contributions.
Establish whistleblower provisions to protect employees from retaliation and hold managers accountable.

Wrapping Up

Exploring non-traditional cyber risks should inspire a more comprehensive perspective on cyber risk. It's about transcending the usual technical risks and embracing cyber risk as an integral part of enterprise risk management.

We've delved into a world of non-traditional cyber risks that often fly under the radar, but the journey is far from over. Our exploration has only scratched the surface, and there are countless more uncharted territories to discover. We believe that collectively, we can shed light on additional cyber risks that warrant attention and contemplation.

Your perspective matters, and we invite you to share your thoughts and insights on cyber risks that we may not have covered in this post. Have you encountered unique or unexpected cyber risks in your own experiences? Do you see new angles and dimensions to existing risks? We want to hear from you!

Together, we can expand our understanding of cyber risk and contribute to a more comprehensive, proactive approach to risk management. By sharing your ideas, you'll not only enrich the discourse but also help others in their quest to view risk in novel ways and, ultimately, reduce risks.

Please take a moment to drop your thoughts in the comments or reach out directly. We're excited to collaborate and look forward to including your valuable insights in future posts.