Organisations and governments around the world must make informed and often challenging decisions about how much time, resources and money they have to spend protecting their business strategies. For hundreds of years organisations have sought to identify relevant information and leverage methodologies to support effective risk management, typically to protect traditional risk domains, such as finance, operations and reputation.
However, one relatively newer risk domain has received far more attention recently – cyber. Digital transformation, technology adoption and the expansion of internet-dependent services has significantly increased the focus on effective cyber risk management to support organisations. It is widely acknowledged now that cyber threats can significantly disrupt operations and cause financial damage. As organisations develop more technology-dependent strategies, effective cyber risk management will become a key component for organisations worldwide.
Supporting decision making
There is somewhat of a convergence of risk disciplines when it comes to cyber: information risk management, information technology risk management and operational technology risk management. Essentially the goal of cyber risk management should be to support decision-making for senior managers by providing key information about relevant cyber-related risks related to the organisation’s digital and physical footprint. For example any digital assets containing, or dependent on, data might now be in scope, such as business applications, corporate devices, and even operational technologies like robotics systems or manufacturing lines.
Moreover, just because cyber security is typically associated with technology, one shouldn’t forget the risks associated with humans or the environment, such as human error or potential extreme weather events that might disrupt systems. Having a clearly articulated and frequently updated asset register is crucial to assessing risk across an enterprise.
The richer and more comprehensive cyber risk management approaches should provide informed and timely information about different threat actors and the likelihood that they might compromise the business. For example, nation states, hacktivists, disgruntled employees, competitors and even fires, floods and hurricanes might all be relevant threat actors that could impact organisations.
However, context is key – the ‘likelihood of initiation of a threat’ is what focuses the relevancy of threat in the context of your business. For example, a small charity will not likely be attacked by a nation state actor, but a large multinational weapons provider might be. Organisations with a rich set of threat intelligence and up-todate threat catalogue can ensure their assessments are more robust. The next step in an effective risk management journey is to profile the controls currently in place and to contrast the strength of the potential threat against them. For example, a relevant threat to the business might be ‘financial loss associated with phishing attacks’ – employees may be frequently targeted by phishing attacks and accidently share financial details or even send money to hackers posing as real clients. This would therefore constitute a more impactful cyber risk to the business and warrant more attention – however, a more mature organisation with firewalls, strong awareness training and anti-virus software might consider phishing to be a less impactful threat because they have relevant protective, detective and responsive controls in place which could manage or mitigate this risk.
There are thousands of different risk scenarios associated with cyber security – the key for organisations is to identify and focus on the most relevant and impactful risks. Senior management typically make decisions about business strategy, but it is the responsibility of the cyber risk management team to provide the right level of detail about cyber threats that could potentially derail the success of that strategy. It is then their responsibility to choose to act on this information.