Cybersecurity is not the only Technology Risk
Cybersecurity is not the only technology risk, in fact, when you total up actual losses it is likely not even the biggest risk. Although I think it is the risk which is increasing the most and has the highest potential existential impact.
Ignoring wider business risks (process, financial, strategic, legal/regulatory) - just focusing on technology risks:
Failed projects. Actual and opportunity costs of large-scale failed projects and the organization consequences of failed transformation.
Software errors. Not just security vulnerabilities but regular bugs/errors/design flaws that cause outages, processing errors and financial loss.
Hardware and telecommunications issues. Failures associated with outages of systems and networks.
Accumulation of end-of-life systems with consequent lack of preventative maintenance.
Capacity, failures under load causing losses due to outages or incomplete transactions.
The list could go on.
There are four main points here:
To focus exclusively & exhaustively on cyber at the expense of the other risks (falling victim to the wrong aside of the Risk = Hazard + Outrage formula) will result in bad outcomes.
More importantly, the best mitigations for cybersecurity risk are also great mitigations for all the other risks - solid IT project management aligned to business objectives delivered incrementally, improved software development and testing, resiliency engineering, incident learning/continuous improvement, engineering for scale and capacity testing, predictable configurations, system isolation, and so on. The best organizations at cyber are also obsessed with the other risks and treat this as a whole portfolio of risks.
Managing these as a portfolio of risks enables a better selection of control practices, for example in some cases security decisions can increase brittleness and reduce resilience - managing risks together reduces the instances of these negative combinations. Controls in each risk category can enhance or degrade the controls in other risk categories. Managing them as a portfolio increases the likelihood of positive selection and also increases efficiency by finding controls that mitigate multiple risks.
Management oversight. Board or other risk metrics can be expressed over a set of risks for which the important by-product is the shared accountability of all the leaders across that range of risks from CIO/CTO, CISO, COO to CFO. For example, if the Board holds management accountable for appropriate investment in reliability and elimination of end-of-life systems as opposed to just the CISO for patch levels that can’t be achieved on end-of-life systems then the right outcome is more likely.
An aside, I remember July 8, 2015 well. The New York Stock Exchange had an outage for most of the day. United Airlines were grounded, globally, for most of the day. The Wall Street Journal web site was down. The news media were hypothesizing a wide scale cyber-attack. But this was, respectively, a software error, a network outage and web site capacity issue. There were plenty of other issues that day that didn’t get coverage - all related to software/hardware issues, and I’m sure plenty of failing IT projects were unfolding as well. However, this was also about the time of the OPM breach - so there was some cybersecurity issues going on - although when you look at the OPM breach and plenty of others there are many non-cyber root causes to go around as well.
Bottom line : cybersecurity risk is but one (albeit extremely important) risk in a portfolio of other risks. Portfolios of risk need to be managed taking into account the dependencies [positive and negative] between the mitigations.