It’s the Season of Lists - Time for a Meaningful Risk List

I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event.

We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today.  According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key.

Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below.

• What are your top 5 cyber risks based on priority?

• Can you describe the actual loss impact in business terms for each of your top 5 risks?

• How are these cyber risk impacts aligned to your risk appetite?

•Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness? 

• Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis?

A common business edict is: “If we can measure it, we can manage it.”  In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management.

1. Risk counts, but don’t just be counting

Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives.

2. Ongoing debate of Qualitative versus Quantitative

The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk.  After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources.

3. Continuous Cyber Risk Monitoring

Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place.

4. Know your Risk Appetite

Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing; and getting close to secure is elusive. The current level of controls for security and privacy that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize. It is a truism that different types of risk require different types of defensive strategies. A more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring.  The key is to balance risk versus reward.

Conclusion

Risk management is at a fascinating point in its evolution. It is now recognized to be not only fundamental to an organizations financial stability and regulatory compliance, but also an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and tolerance for risk.  All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap that will help them reduce their risk as their business expands. How are you able to identify and address new risks quickly while you deliver new technologies? Would love to hear successful techniques and insights on your partnership with finance, operations, and the businesses as we move to the risk function of the future?