Three Ways to Attain Value from Cyber Risk Management in 2019


Cyber-attacks were the top risk for doing business in 2018 in North America, Europe, East Asia and the Pacific (World Economic Forum). This is forcing business leaders to improve their cyber security and risk management processes.

Ultimately, risk management is about making the right decisions to achieve the desired outcomes. We do that by identifying the urgent actions and priorities that are required to manage risks down beneath the risk tolerance level. That can be very difficult to do as there are various constituents that need to be considered (some known, some unknown).  

Below are three ways which will allow you to attain the most value from your cyber risk management processes over the next year.
 

1. Demand for improved risk visibility

Organizations of all sizes and industries face the daily threat of cyber-attacks but the types of risk may vary from industry to industry and even business to business. A staggering 70% of organizations believe that their security risk increased significantly in 2017 (Ponemon Institute’s 2017 Cost of Data Breach Study), so what can be done?

In order to have effective risk management processes, organizations require clear visibility into the risks they face and the various related factors which could affect their risk status (as illustrated below). This will allow decisions to be made around which risks to accept and where to set the risk tolerance thresholds. 

Integrated Risk Management
Since these elements are interrelated, recording this information in a single data source (such as a flexible GRC solution) allows for a more complete visualization of the risks you face and understanding of the knock-on effects. 
 
Once this is understood, the next challenge is presenting the relevant information to senior management in a manner which helps to inform decision-making. For example, being aware of the top ten risks to the organization (or key business unit) will allow you to understand which areas you should prioritize and therefore invest time and resources into improving.
Over the next twelve months, we envision that senior management will demand better reporting and insights therefore we will need to have up to date information available on-demand. Without real-time visibility, making the right decisions quickly will become increasingly difficult.
 
 

2. The shift towards quantitative risk assessment

Sixty-four percent of organizations have formally evaluated the effectiveness of their spending on cyber security (Ipsos MORI Social Research Institute, 2017), but a study by EY estimated that 87% of organizations still believe that they don’t have sufficient budget to implement the appropriate cybersecurity measures they need (EY Global Information Security Survey 2017-18). So why is that?

Typically, qualitative risk assessments have been used for cyber risk management due to the lack of historic data – a method that doesn’t take into account the financial impact of cyber risks. In 2018, we saw great progress in quantitative risk assessment so now with the right tools, it is possible to apply the same techniques that are used for financial risk management into statistical analysis for cyber security. This has been a hot topic in recent months as using quantitative techniques provide more accurate and informative results than traditional methods. 
 
In 2019, we predict that organizations will start to take a greater interest in understanding the financial impact of cyber risks particularly given the severe consequences of financial cyber regulations such as those presented by the Financial Conduct Authority (FCA) and similar governing bodies across the world. Last year we saw the FCA fine Tesco Bank £16,400,000 for failing to diligently protect personally identifiable information (PII) against a cyber-attack, leaving account holders vulnerable.  

By knowing which risks could have the most severe financial implications (for example loss of personal data), businesses can identify their most critical risk areas – thus being able to decide which weakly deployed controls or metrics to prioritize. To do this, a quantitative approach will be needed (either alongside or instead of qualitative methods) to estimate the expected loss. Here the value is driven by being able to maximize ROI on cyber security spending and set appropriate budgets. 

 
Cyber Risk Management Process

3. Integrated Control Frameworks for cyber security risk management

The principal objective of cybersecurity standards is to improve the security posture of a business to reduce the risks of a cyber-attack. They are usually developed over long periods of time by experts in the field who put forward best-practice approaches.

Many organizations have multiple relevant control standards which they measure and report against (i.e. ISO 27001, Cyber Essentials, PCI DSS, NIST, etc.), where in many cases overlaps exist. As more standards are being published and introduced, it is highly likely that there will be even greater similarities in recommended approaches.
By introducing mappings, businesses can avoid duplicated efforts to assess the same controls twice in different standards – as such rationalizing the system.

Various solutions in the market allow organizations to comply with a particular regulation or standard but having an underlying platform which can manage multiple control sets in a single database has far greater benefits. This level of automation cannot be achieved with spreadsheets.
 

Conclusion
In conclusion, attaining value from risk management can be achieved in various ways including:
  • Improving visibility to identify the areas which need to be tackled
  • Understanding the financial impacts of the risks to make appropriate prioritization decisions
  • Addressing various requirements (such as regulatory and audit pressures) efficiently to reduce costs and workload.
All of which require a strong GRC platform to manage, link and present the information in a way which allows businesses to make the appropriate cyber security decisions to reduce risk. 

Onsite or web training needed?

Please contact us to discuss your requirements.