For a long time, the domain of specialised technology teams within organisations resulted in siloed IT operations and risk being kept away from the wider business. Cybersecurity a topic gaining attention around Exec and Board tables in today’s digital world. Terms like cyber activism, ransomware, and cyber terrorism haven’t been around all that long but are set to become permanent fixtures when discussing risk at a strategic level.
Taking a step back from the ‘nitty gritty’ of specific technology risks, a good starting point can often be understanding the organisation’s overall cyber risk posture – because let’s be honest, Exec teams are much more at home discussing risk management, as opposed to jumping straight into why you need $1m worth of network upgrades to address a newly discovered cyber threat!
But understanding the true extent of this cyber risk also means measuring it’s potential impact to your organisation. This is something we’ve seen an increasing number of partners and customers explore and we’ve noted a few of the learnings we’ve picked up along the way, which we summarise as:
- Industry standards are important
- Know all your exposure points – and minimise them
- Report through to decision makers “in their language”
Keep reading to find out more about each of these.
1. Industry Standards are Important
Industry standards can be an excellent way to accurately and consistently identify cyber risk. A good example of this would be the Factor Analysis of Information Risk Model developed by the FAIR Institute. This international standard starts by looking at both the Loss Event Frequency (LEF), alongside the Loss Magnitude (LM) before drilling down into an individual threat’s primary and secondary loss potential.
Other, well known standards include ISO 27005 and NIST SP-800-30, both of which are mentioned in Requirement 12.2 of the PCI standard itself and again stressing the importance of having a consistent approach to Risk Management. Unsurprisingly for an organisation steeped in the world of PCI Compliance, we see real value in these types of models, which adds consistency, rigor and creditability to each risk that is analysed, reported and presented.
2. Know Your Exposure Points – and Minimise Them!
For those starting out on their cyber journey, one activity that really helps is an initial ‘stock take’ of current cyber threats, and overall risk position. An security audit or gap analysis can readily identify key areas of risk (where loss frequency and magnitude are both considerable), as well as highlight those ‘quick wins’, that don’t require substantial investment although greatly reduce vulnerability to any sort of data compromise.
They key thing to here is to ensure that you review your entire organisation, from systems and processes through to policies, training and culture. We’ve developed a helpful guide to conducting an initial Risk Assessment in one of our previous articles. Key here is to define your process, understand the actual cost of a risk being exploited and to keep evolving your mitigation plan over time – and remember, simply saying your mitigation is “PCI Compliance” is not enough, always ask the ‘why?’ and ‘how?’ a specific control leads to risk reduction.
3. Report to Decision Makers “In Their Language”
So now that you’ve done the analysis work and identified/measured each cyber risk, what next? Generally, it’s time to deliver this information to interested parties that are in a position to approve remediation action – particularly when investment is required.
As touched on at the start of this article these forums are not generally an audience attuned to the ‘in’s and out’s’ of new technology threats which are often heavily steeped in jargon. This makes it even more important to report this information to decision makers in a way that is both consumable and action orientated. Focus on concepts like:
- Quantified risk,
- Business impact,
- ROI for security investments, and
- Recommended next steps and timelines.
A great additional resource to support your work pulling this together is the Institute of Directors recent cyber risk “Practice Guide” which groups cyber risk management into five core principles.
So as we get started with 2022, let’s continue to flip the Cyber conversation from one of detailed technical controls, to one of managing & measuring cyber risk. We’ve worked with organisations at along every stage of this journey and if it sounds like something for you – get in touch today!