Senior leaders with the ultimate accountability for cybersecurity inherently leverage some form of risk management, ranging from cost-influenced denial (“this won’t impact us” mindset) to a robust risk management framework that informs intelligent decisions. Although you will hear very few leaders denying the impact of cybersecurity risks, senior leaders and organizations differ in how they approach protecting their cyber domain.
A gap that I’ve observed is a technology-focused approach that doesn’t enable cyber leaders to get in tune with the business in which they operate. Mature cyber programs enable smart decisions and tradeoffs, which allow focus where it matters most to their business.
I’ve found a risk-based approach delivers clarity in terms of how the cyber program will help protect the business and actual, quantifiable results. This approach highlights vulnerabilities and builds a framework specific to your company’s greatest assets and, therefore, most significant risks. These assets can be data, critical business systems and/or business processes. In all scenarios, the risk-based approach supports strong alignment for leadership outside of IT because of the shared understanding of business risk.
Over my 15+ years in IT, I’ve seen undeniable value in a business risk-based approach to cybersecurity. New or budding security programs, mergers, acquisitions, and leadership turnover are scenarios in which a business risk-based approach is efficient. These are often situations where leadership alignment struggles as executives try to understand where to start, how much to spend and where to focus that spending to get the best return on investment. Companies with the greatest success in implementing a business risk-based management security often pursue the following trajectory:
- Formalize your cyber program.
- Define values and risks.
- Assess vulnerabilities.
- Understand the threat.
- Build a risk-based model
Formalize your cyber program.
A business risk-based cyber security program should be organized from conception and include leadership outside of IT. Leadership alignment and employee awareness are the legs that your security program will stand on. Cyber risk can feel overwhelming; a healthy program should establish goals, expectations, and a common language. Organizational-wide buy-in is critical from beginning to end. Cybersecurity is not just the role of IT but that of every employee.
All employees are responsible for their actions and how said actions protect their organization.
Define values and risks.
Your company’s most significant value often belies your company’s greatest risk.
To successfully pinpoint significant risks, take a step back, consider what you’re providing, and examine the confidential and sensitive elements across all business areas and processes. Scrutinize all systems and third parties that are critical for the operation and where data or a process, if maliciously altered or manipulated, could impact the quality and trust of the business. For example, a financial institution provides loans as part of its value-creating workflow.
Loans are at significant risk for the leaking of data and potential fraud. If loans are fraudulently processed, the financial impact is felt, and operations are strained. Business quality and trust are impacted if confidential or sensitive data is leaked. By highlighting the value of your institution, you can align your focus on what matters most. You gain valuable insight on where to start. Additionally, defining a company’s value and subsequential risks encourages buy-in from business leaders outside of IT.
Assess vulnerabilities.
Every enterprise must take stock of its infrastructure for potential vulnerabilities. Vulnerabilities can range from high-risk departments such as HR or accounting, third-party vendors or suppliers, and software configurations, right down to Bob on the factory floor. Often internal team members are the greatest threat to a company’s security. And the employees that matter most are those connected to a source of your company’s value. Too often, I see companies undervalue the people and process aspects of cyber risk mitigation. Each employee can impact operations—some more easily or significantly than others depending on role and access. You cannot effectively assess vulnerabilities without focused attention on people and processes.
Understand the threat.
You’ve established your company’s framework and common language. You’ve highlighted its most significant values and understood its greatest risk. You’ve identified the IT assets, third parties, and critical business processes. You are ready to check your work. Threat actors can assess your weak points; They can employ specific techniques, tactics, and procedures they would use to establish harm. Threat actors can create risk events, and cyber risk managers can collect valuable data points on specific weaknesses within the company—whether it be controls, people, or processes. For example, many companies with high spending on security software tools experience wire fraud and/or breaches simply because an employee unknowingly gave out credentials that allowed bad actors to circumvent the gates. When you understand the threat and the probability of occurrence, your ability to effectively mitigate risk increases significantly without always costing more money.
Build a risk-based model.
With an established framework, points of value and risk, established vulnerabilities, and additional information from threat actors, your company is ready to build your risk-based model. The model is cost-effective, spending the money where it matters most. The model has leadership buy-in because it uses everyday language and esteems team member training. The risk-based approach model can boast uniquely quantifiable results because it matches controls with agreed-upon vulnerabilities. In short, the risk-based management model offers a clear reduction in risk for a broad range of budgets. Furthermore, it can grow and flux as your company and cyber threats continue to evolve.
Establishing a risk-based model for cybersecurity can seem daunting, but rest assured, success is within reach when you take it one byte at a time.
