Cyber risk appetite

The concept of cyber risk appetite is an interesting one for boards. I've heard some say they have 'zero' appetite for cyber risk. If that was true, they'd be closing down digital operations and reverting to paper!

For boards, it's more helpful to think about risk appetite as 'what you're prepared to sacrifice in exchange for cyber security'.

Low appetite means you'll be pulling the plug on services at the merest hint of an attack, even if it turns out to be an false positive. Prioritising security over user experience. Saying no to partners without accreditations.

These decisions are short-term expensive for commercial businesses, especially in low margin sectors. So most don't operate in that way. Their cyber risk appetite is high, not by choice but by default. Tha

t's an uncomfortable place to be for boards, and perhaps explains why we hear platitudes about 'zero risk'.

What those board members are actually saying is "I really, really don't want my organisation to be attacked." Good. So what are you prepared to sacrifice? 

(Inspired by great discussion last week at a lunchtime gathering of public sector NEDs, ably convened by Odgers and the fabulous David Jones.)