A CEO’s mission is increasingly dependent on technology. If you’re a C-level executive, you know that any disruption to your information systems can interrupt your operations, lower your supply chain, affect your reputation and compromise customer data and intellectual property. According to the 2017 Cost of Data Breach Study by the Ponemon Institute, the global average cost of a data breach is $3.62 million.
Important Cyber Risk Management Concepts
Involve Cyber Risks in Current Risk Management and Governance Processes
Cybersecurity is more than enforcing a checklist of requirements – cybersecurity is about being aware of and understanding current threats.
Start Cyber Risk Management Discussions With Your Team
Interact regularly with those who are responsible for managing cyber risks within your organization. By increasing your awareness of the potential threats to your business, you will better understand the impact a cyber incident could have upon it.
Enforce Industry Standards and Best Practices – Do Not Depend Upon Compliance
A robust cybersecurity program takes into account industry standards and best practices to safeguard systems and tracks potential problems; it also notes new threats and allows on-time response and recovery.
Analyze and Control Particular Cyber Risks
Determining critical assets and related impacts from cyber threats is important to understanding an organization’s exposure to risk – whether competitive, reputational, financial or regulatory. Risk assessment results can help executives to identify and prioritize particular protective measures, assign resources, notify long-term investments and implement policies and strategies.
Provide Oversight and Review
Executives have responsibility for managing and ensuring enterprise risk management. Managing cyber activities involves the continuous evaluation of cybersecurity budgets, IT outsourcing, cloud services, incident reports, IT acquisition plans, risk assessment results and top-level policies.
Develop and Track Incident Response Plans
Even a secure organization will need to be prepared to address and control cyber threats and/or deal with cyber incidents at some point in time. Network security should be an equal priority to other risks, such as those involving finances and reputation.
“What is plan B?” incident response plans should be practiced every day.
Coordinate Cyber Incident Response Planning Throughout the Organization
Responding quickly to cyber incidents can prevent or limit possible damage and requires coordination with your business leaders and stakeholders – this includes the chief information officer, the chief security officer, operators, the general counsel, the chief information security officer, public affairs and human resources. Make sure you integrate cyber incident response policies and procedures with current disaster recovery and business continuity plans.
Keep Up Awareness of Cyber Threats
Evaluating, managing and improving the cyber risk management processes, embedding risk data from different sources, active participation in threat information and sharing with partners helps organizations find and respond to incidents speedily and ensure that companies are prepared to mitigate threats.
Risk Management Process
You should begin with a cybersecurity framework structured around each area of the business to ensure an ideal risk posture.
Guidance Software advises utilizing new technologies that can identify and map data throughout the enterprise. As soon as data is mapped, enterprises make actionable decisions on how to govern it and minimize their risk footprints. For instance, even with cybersecurity training and a stable security culture, confidential information can leave an enterprise simply by accident (e.g., data stored in secret rows in spreadsheets or incorporated in notes within employee presentations or lengthy email threads). Scanning the business for essential data at rest and then eliminating any data stored where it does not belong helps to minimize random data loss.
Deloitte advises that the risk management process takes into account the five-level Capability Maturity Model approach:
- Initial (ad hoc, chaotic and individual heroics): the beginning point for the use of an undocumented repeat process
- Repeatable: the process is documented perfectly, and repeating the same steps may occur
- Defined: the process is explained and affirmed as a standard business process
- Controlled: the process is quantitatively managed as per agreed-upon metrics
- Optimizing: the process management involves deliberate process optimization/improvement
When the risk posture is concluded, scrutinize the enterprise’s technology infrastructure to understand a baseline for the current risk posture and what the enterprise needs to shift from the current to the required state of risk exposure.
If these proactive steps are taken, there will be less risk exposure and less potential to fall victim to a cyberattack.
Deloitte also advises performing a risk/reward calculation, then standardizing those network security enhancements to achieve the greatest improvements at minimal cost. There should be incremental steps and goals, like five percent improvement within five months, that can be calculated to measure whether the enterprise is moving toward its desired cybersecurity risk posture.
Cybersecurity risk management is a continuous process; the National Institute of Standards and Technology (NIST) Framework is a helpful “living document” that is continually revised and updated as per requirements. Once an enterprise performs its original risk assessment and progresses from the existing to the desired risk posture, periodic or regular assessments should be performed to look for new vulnerabilities that will need to be addressed and managed.