Business leaders are investing in digital transformation to increase competitiveness, drive operational efficiencies, and grow market share. It has never been a better time to capitalize on the advantages of digitalization but with increased reward, comes increased risk.
As we embark on a new year and new decade, it is important that we reflect on the lessons of 2019 to drive our future strategies. Acuity has put together some trends and tips for managing cyber risks to help you prepare for the coming year.
Trend 1: Increased Board interest in cyber security risk
Boards are paying more attention to cybersecurity with more CISOs joining management conversations and cybersecurity spend rising year on year. While this reflects increasing awareness of cyber security risks, there are still continuing challenges in translating technical matters into Board-level discussions.
A PWC survey of 3000 respondents (The journey to Digital Trust, 2018) found that 80% of companies have provided the board with strategies for cybersecurity, however only 27% of them feel comfortable that the board is receiving adequate reporting on metrics for cyber and privacy risk. Evidently, there is still a lack of understanding around how to measure cyber risk and determine the best course of action.
By putting financial measurements on risk, an objective calculation can be used to provide reporting that is widely understood and comparable with management’s tolerance for risk. These insights will be used to shape strategies by enabling security and risk professionals to speak the language of business leaders, aid decision-making and optimize security investments. Cost/benefit analysis will help organizations determine how to gain the best ROI.
Tip: Consider quantitative risk assessment methods
Last year, we highlighted how the introduction of quantitative methods for cyber security assessments can allow organizations to understand their financial exposure from cyber risks.
In most cases, loss scenarios can be estimated in financial terms – even publicly funded or ‘not for profit’ organizations compete for funds and incur financial costs. Reputational and strategic impacts have a way of materializing later as financial costs from customer churn, difficulty in winning new business and so on.
It is a common misconception that quantitative risk assessment is complex and requires lots of historical data on previous incidents. In fact, practical and statistically-sound financial assessment of operational risks, which reflects the ‘real-world’ uncertainty in risk and allows aggregation is easy
with the right tools.
STREAM supports quantitative risk assessments, the data from which can then be used to perform risk-based prioritization of security improvement and model the ROI from potential security investments. Boards understand numbers, and quantitative risk assessment methods can provide risk teams with the ability to speak the same language as the Board.
Trend 2: Increased demand for Vendor Risk Management
While managing internal risks is highly important, it is imperative not to forget that risks can also be inherited from vendors and the wider the supply chain. This is a rising challenge as organizations increasingly share sensitive and business-critical information with the wider ecosystem.
Due to the dynamic nature of risk, it is important to understand suppliers’ risk profiles and security capabilities before entering a relationship and for the duration of the relationship. With some firms having thousands of suppliers this can be a daunting challenge.
Tip: Increase consistency
The most common approach to vendor risk management has involved asking vendors to complete and return questionnaires with supporting evidence. Apart from the shear volume of administration effort involved, these approaches suffer from some serious problems:
- Vendors can be less than honest in their questionnaire responses
- Assessments are ‘point in time’ and can be out of date shortly after completion
- Questions tend to focus on controls and compliance rather than primary indicators of risk, such as threats, vulnerabilities and incidents.
Organizations should take a risk-based approach to Vendor Risk Management at two levels:
- Prioritizing vendors based on level of dependency, e.g. because they handle highly sensitive data or provide time-critical services
- Understanding actual risks posed by vendors and across the supply chain by reducing check-box compliance activity and monitoring (for high dependency vendors) security ratings / threat intelligence services, security performance metrics and incident history.
By monitoring what happens in practice, organizations can gain greater insights into vendor risk and use these to manage business exposure down to acceptable levels. All of this requires a platform which is capable of efficiently handling the information capture, analytics and reporting in close to real time.
Trend 3: Ever-increasing data protection and privacy regulations
As we enter 2020, data protection and personal privacy rights continue to grow in importance. In 2019, the General Data Protection Regulation (GDPR) was joined by similar laws in regions such as Australia, Brazil and Canada. It is undeniable that data breaches will continue to be one of the biggest concerns for businesses worldwide; in fact, a 2019 survey by KPMG found that 91% of technology leaders believe that data privacy and trust will be as important as their product/service offering in customer attraction. With this in mind, it is not surprising that businesses of all sizes are devoting more time and effort into data privacy and cyber security.
Tip: Growing effort to demonstrate a risk-based approach to privacy management
Not only will regulators be demanding security and privacy assurance but also customers and investors. It will be more important than ever for firms to get their arms around security efforts and demonstrate transparency in order to win business.
New privacy regulations are risk-based and it will be essential for organizations to record, assess, manage and review both privacy and security risks to the processing of personal data. As part of this, accountability must be established and evidence of activities and decisions must be chronologically logged. This will give confidence on a day-to-day basis but also, be used as mitigating evidence in the event of a data breach.
Trend 4: Increasing adoption of flexible integrated risk management platforms
Cyber, privacy and vendor risks have all escalated in recent years with potential to cause material damage to organizations, alongside more traditional enterprise risks. As mentioned above, these new risks require some quite specific attention with specialist tools but the Board wants an overall consolidated view of risk status across all material enterprise risks so that it can prioritize and allocate resources accordingly.
Spreadsheets or parochial enterprise risk management tools that simply imitate spreadsheet functionality do not have the capability to address these new risks to business for the 2020s so we will see the increasing adoption of flexible integrated risk management platforms that can adapt to the changing risk environment.
Tip: Consolidate multiple risk management systems into a fully integrated system
Organizations should aim to bring these traditional and new risk management disciplines together as value can be derived by centralizing these activities onto one, platform. Breaking silos and connecting the dots will enhance:
- Efficiency: sharing data across teams, minimizing duplication of effort
- Accuracy: reducing guess work and errors
- Consistency: forcing the adoption of a common language to avoid misalignment
- Reliability: scheduling, reminders and workflow for critical tasks and processes
- Visibility: holistic risk view, with consolidated, close to real-time and on-demand reporting.
Consolidation of risk management has been one of Acuity’s core beliefs and a key value proposition of STREAM. This fundamental approach is still crucial to gain a true insight into an organization’s risk status. Ultimately this will also enable better decision-making for prioritization, investment and resource allocation.
There are undeniable benefits to risk management but huge challenges that need to be overcome.
As we embrace digitalization, the most serious risks to business are changing to include cyber security, privacy, vendors and the wider supply chain.
To survive this dynamic environment, organizations must modernize their approaches and equip themselves with the suitable tools to stay competitive. By moving away from siloed activities to having multiple risk functions under one umbrella, organizations can get a better grasp on their risk, compliance and security. Luckily there are sophisticated tools available which make it possible to make risk manageable.
Acuity has an award-winning platform and extensive knowledge to fast-track your journey to quantifiable, automated, integrated risk management. With over 15 years of experience, Acuity has been helping organizations around the world across various industries. Let our innovation guide you to stay ahead of the game in 2020. For more information or to arrange an introductory call, please contact us.