Business
WORLD | Oct 4, 2022

Fundamental concepts to manage cyber risk

/ Our Today

administrator
Reading Time: 3 minutes
Renee Tarun, deputy CISO and vice president for information security at Fortinet.

Risk management can’t be a one-and-done activity.

Many organisations make this mistake.

They do a risk assessment and then they say, “All right, we’ve checked that box on our compliance checklist.”

And then they don’t think about it again and get back to day-to-day operations—but all day-to-day operations involve risk. Everything relies on ensuring the business can operate safely and effectively. Therefore, cyber risk management must be a continuous process.

It comes down to this: there’s always a risk because the threat landscape is evolving on a regular and rapid basis. Also, because operating environments and the network landscapes are morphing frequently and organisations are going from cloud to multi-devices and hybrid environments, risk exposure is constantly increasing with all these changes. For example, every time a new server or new device is added to the network, a new potential risk is also added. With threat exposure being so dynamic, organisations should always be measuring their risk.

The Cyber Risk Assessment Process

This is how NIST (National Institute of Standards and Technology) recommends cyber risk assessments should be conducted within the risk management process: 1) evaluate the cyber risk, 2) evaluate the response to it, and 3) monitor it. Rinse and repeat. I think this is a good guiding light to keep in mind. Below are some additional tips to add context for managing cyber risk.

What Is Cyber Risk?

Cyber risk is defined as the “risk of financial loss, disruption, or damage to the reputation of an organisation from some sort of failure of its information technology systems”.

To determine what risk is, a simple equation is used by tech professionals: Threat x Vulnerability x Consequence = Cyber Risk.

This is a standard formula for determining risk, though some experts replace “consequence” with the word “impact”.

Perhaps, the best word to use instead of “consequence” or “impact” in this equation is “damage”.

So, when figuring out cyber risk, the team always needs to ask: “If the system/data is breached or becomes unavailable, how much damage will there be to our reputation or operations?”

Conducting Cyber Risk Assessments are key

Cyber risk assessments “are used to identify, estimate, and prioritise risk” to any organisation’s operations, assets and individuals. The rationale for doing cyber risk assessments is that they can help organisations:

  • Avoid breaches and security incidents
  • Reduce long-term costs
  • Prepare for future investments
  • Improve cross-organisational collaboration
  • Meet compliance requirements

There are eight questions that, once they are answered, will provide organisations with the guidance needed to successfully complete a thorough cyber risk assessment:

  1. What are our organisation’s most important IT assets?
  2. What data if compromised would have a major impact on our business whether from malware, cyberattack, or human error?
  3. What are the relevant threats and the threat sources to our organisation?
  4. What are the internal and external vulnerabilities?
  5. What is the potential damage if those vulnerabilities are exploited?
  6. What is the likelihood of exploitation?
  7. What cyberattacks, cyber threats, or security incidents could affect the ability of the business to function?
  8. What is the level of risk the organisation is comfortable taking?

There are several common pitfalls that could hinder or undermine an organisation’s efforts to conduct an accurate cyber risk assessment. They include forgetting to address third-party risk and having tunnel vision regarding scope—focusing on one area versus looking at the bigger picture. Other possible errors are: assessing without having context, failing to assess regularly, not incorporating cyber risk into the organisation’s overall risk, and relying solely on assessment tools—sometimes you need to go and actually talk to the humans.

Not Just One Team’s Responsibility

In many organisations, it’s assumed that responsibility for managing cyber risk just belongs to the IT and security teams, but this is incorrect. Cyber risk must be every employee’s responsibility. Risk should be managed – doing risk assessments and meeting compliance requirements – in totality of the organisation’s overall risk, including physical risk and operational risk. Cyber risk management is a team sport.

It’s critical to determine who conducts a cyber risk assessment. Many organisations leverage their internal IT staff as the assessment requires IT staff with a deep understanding of how the digital and network infrastructures work. Some enterprises, along with SMBs, may want to hire third-party risk assessment specialists to assist them. However, it’s important to have high-level executives and business owners that understand various information flows involved as well, visibility across the organisation is critical for a thorough cyber risk assessment.

Contributed by Renee Tarun, deputy CISO and vice president, information security at Fortinet

Comments

What To Read Next