Cyber crime is a global issue of massive proportions. According to RiskIQ* research, it costs organizations ‘$2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches’. Cisco** data estimates that DDoS (distributed denial of services) attacks ‘will grow to 15.4 million by 2023, more than double the 7.9 million in 2018.’
Last year Sword GRC invited risk management and cyber-security risk expert, Jane Teh from training and consultancy specialists, Reds11, to present a webinar exploring how a well approached and comprehensive cyber risk posture can bring value to organizations.
The full webinar, ‘Effective cyber risk posture: the value proposition of cyber security’ is available to view free of charge and this blog post features highlights from Jane’s presentation.
PLUGGING THE ‘SECURITY HOLE’ AND REDUCING THE LEVEL OF RISK
Jane defines cyber security posture as the “strength of a company’s cyber security policies and controls and how effectively they mitigate risk,” asking risk professionals to consider how strong defenses are against vulnerabilities or threats and whether critical and often sensitive data is as safe as it needs to be.
“Cyber security posture looks at the operational and governance controls surrounding the protection of assets… Before doing cyber security postures, I would recommend that you should always consult with your internal cyber security or IT security team or any outsourced consultant to understand the vulnerabilities leveraged by hackers; how they can exploit these based on your asset classifications.”
Cyber risk assessment, according to Jane, refers to the measures an organization takes to fortify security posture. A cyber security risk management framework can strengthen the security of your IT infrastructure and enable your C-suite to make more informed risk management decisions.
“With cyber risk assessment we consider what the risks are and what measures are put in place to protect the organization. For example, adopting cyber insurance policies that cover risk areas to reduce impact or improve counter attack capabilities.”
Her belief is that understanding cyber security posture and cyber risk assessment will help in the allocation of resources and justification of expenditures.
THE IT DEPARTMENT ALONE CANNOT TACKLE CYBER SECURITY
“Many top executives treat cyber risk as an IT issue and delegate it to the IT department. This is a natural reaction, given that cybersecurity is a technical issue at its core. But defending a business is different from protecting servers. Defending a business requires an understanding of the value of risk, based on an understanding of business priorities, the business model and value chain, the corporate risk culture, roles, responsibilities and governance.”
CYBER RISK IS NOT A ‘COMPLIANCE’ ISSUE
Jane explains that frequently introducing new cybersecurity procedures and checklists often brings about undue focus on formal compliance rather than building resilience. “Even when all boxes on the Chief Security Officer’s checklist are ticked, the company may be no less vulnerable to cyberattacks than before. In short, traditional responses are inadequate. To counter the growing threat, to accommodate the growing complexity of corporate networks and to keep up with the quickening pace of change, a new posture is called for.”
HOW TO BRIDGE BUSINESS AND TECHNOLOGICAL LANGUAGE BARRIERS
“If the essence of the message is not understood, then no action will be taken by any party. If the threat is imminent, poor communication will leave assets fully exposed.” Jane suggests five ways to help bridge the communication gap:
- Establish a universal security business vocabulary — share a glossary sheet with shareholders
- Build stronger vendors and a more resilient security ecosystem
- Don’t report meaningless numbers — provide the ‘business story’ and illustrate how problems are being solved
- Translate technology for business — align easy-to-understand metrics to key business functions and objectives
- Have open, cross-board expectations of reporting, layout, metrics and detail levels
HOW TO DEVELOP AN EFFECTIVE RISK POSTURE
Jane suggests that organizations with effective cyber resilience and robust cybersecurity measures are safer and more valuable. To develop an effective risk posture, she recommends a four-step repeatable process:
- Discover — draw up an assets inventory (for the organization and subsidiaries)
- Assess — once all assets have been classified, consider the types of and likelihood of attack vectors
- Analyze — look at other vulnerabilities and controls for highly exposed assets based on business criticality
- Implement — assign owners, set goals, test and review outcomes
“Do not forget to update asset inventories as assets are added or removed and be sure to keep pace with the changing attack landscape that may be targeting your industry or any other that may affect yours.”
ROI — THE VALUE OF SECURITY EXPENSE
When considering how much should be spent on security and what is the return investment, Jane believes that security is itself a cost saving exercise. “ROI used in measuring cyber security is inaccurate… It is an expense that pays for itself in cost savings. Security is about loss prevention rather than profitability, in the same way that we take out medical insurance so that should we one day need medical attention, we needn’t fear that we do not have the funds required.” While security cannot produce ROI, “loss prevention certainly affects a company’s bottom line.
“The main concerns of the C-suite are, ‘What asset is being exposed? How likely is it to happen? What will be the impact on the bottom-line?” Jane points out.
Value added metrics (VAM) and key risk indicators (KRIs) can be used to calculate Annual Loss Expectancy (ALE). Jane advises that accurate, high-quality data is key in assessing the cost of damages. If it is available to you, tap into actuarial expertise and data of similar threat occurrence. Organizations are moving now towards using outcome-based data which will be most useful in future planning and investment.
It is the combination of these three (VAM, KRIs and ALE) measurements that she believes “should present a board-visible loss prevention, with solid cost savings on the bottom line.”
Watch Sword GRC’s webinar: ‘Effective cyber risk posture: the value proposition of cyber security’
BEST-IN-CLASS RISK MANAGEMENT SOFTWARE
Discover Sword GRC’s Active Risk Manager, the leading risk management software solution for project to enterprise risk.
* The Evil Internet Minute 2019 | RiskIQ
** Cisco Annual Internet Report — Cisco Annual Internet Report (2018–2023) White Paper — Cisco
