Establishing an Organisational Cyber Risk Management Strategy
Cyber attacks are headline news again and boards and executives have to think critically about the significant cyber issues facing their organisations. The impact on brand, consumer confidence, service continuity and share price for quoted companies can be devastating. Cyber security responsibilities rightly start at the top and every employee is a part of the mechanism to protect the organisation. In assuring continuity however, Boards, executives, and corporate leadership have unique roles and responsibilities when it comes to how cyber risk influences the broader enterprise risk.
Cyber risk programs need to be designed with an understanding of the dynamic cyber risk landscape. An analogy for cyber risk strategy is like brakes on a car. Having a well-articulated and well-practiced cyber risk strategy allows you to accelerate and take calculated risks, while also understanding business limitations and knowing how to break when necessary. An ineffectual progam can result in the vehicle coming to a screeching halt.
Every organisation has unique risks and will develop differentiated risk mitigation strategies; cyber risk, when well understood, is an integral part of an organisation's broader enterprise risk management programme.
Effective information risk management must be grounded in a strategic framework of formal documented governance processes. These ensure consistency and traceability of the activities that implement the operational risk management function by providing continuous oversight of their performance and conformity with defined standards. This strategic framework is what makes the difference between a coherent information risk management system and an unmanaged set of procedures.
5 Questions CEOs Should Ask About Cyber Risks
1. What is the current level and business impact of cyber risks to our organisation? What is our plan to address identified risks?
2. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
3. How does our cyber security program apply industry standards and best practices?
4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
This brief article does not allow us to go into detail regarding the governance of risk management, managing communication channels, authorities and accountabilities, regulatory compliance, risk intelligence, risk identification, risk assessment, risk treatment or policy management but each in turn does need to be governed and it is the Risk Management Governance Framework that will bring all of the pieces together to form a cohesive strategy.
Risk Management Governance Framework
At the strategic level, the governance function informs and is guided by the office responsible for regulatory compliance and guides or informs the setting of accountabilities and authorities for information risk management functions at the tactical and operational levels. It also directly drives standards, criteria and process definitions to all risk management functions at the tactical and operational levels.
The combined strategic functions (embodied as the information risk management committee) communicate bi-directionally with the tactical risk management functions, which in turn communicate bi-directionally with the operational risk management functions. The operational level risk management functions are the only ones that directly interface with non-risk management operational business functions.
A management framework of this kind results in distributed responsibility and workload, maximum benefit from diverse areas of expertise, traceable action and decision-making and efficiency. However, it does rely entirely on the maintenance of the necessary channels of communication.
InfoSec Skills is a leading industry provider of Cybersecurity Training in the U.K. and operates internationally.