Advertisment

Cybersecurity and risk need to play a prominent role within organisations in India

With cybersecurity being at the nexus of technology and business, security leaders have visibility into an organisation’s systems

author-image
DQINDIA Online
New Update
Cybersecurity

While some might say that the current pandemic was an event bound to happen based on industry reports, many organisations and governments globally were forced to have a crash course in crisis management.  The way organisations plan for and manage risk is among the many profound changes taking place in the cybersecurity scenario in 2020. Some people may argue that a health crisis falls squarely within the realms of business continuity or crisis management. However, Covid-19 has completely flipped the way organisations think about risk. A study conducted by Forrester Consulting on behalf of Tenable shows that Covid-19-related scams were the number one source of all business-impacting cyberattacks as of mid-April 2020. The spike in cyberattacks as a result of the swift shift to remote work has blurred the once well-defined lines between technical risk and general risk management. This change is now compelling leaders in both disciplines to lock arms and align closer in guiding enterprise risk management strategies.

Advertisment

Cybersecurity can play a bigger role in risk management

The increasing frequency, sophistication and creativity of cyberattacks put security leaders in a unique position to play a bigger role in overall risk management and the related disciplines of business continuity, disaster recovery, and crisis management.  With cybersecurity being at the nexus of technology and business, security leaders have visibility into an organisation’s systems, data and processes needed to deliver on business continuity and disaster recovery plans. Understanding the critical processes and assets from a broad enterprise risk perspective will only serve to strengthen an organisation’s cybersecurity posture.

Cybersecurity leaders, however, cannot perform Enterprise Risk Management (ERM) alone. Developing a comprehensive enterprise risk management plan requires buy-in from corporate executives and the board, and it demands cross-functional collaboration.

Advertisment

These six steps will help with initial risk identification and assessment:

  1. Develop and distribute a risk survey to key stakeholders. These are typically fielded to senior-level managers and should include representatives across all major departments in the organisation. Having representatives from finance, legal, human resources, information technology, information security, sales, operations, marketing and R&D will provide a 360-degree view of the types of risk each department faces. To compile an inventory of enterprise risk, organise the responses into risk categories. This can also be an opportunity to identify business priorities which help with planning and security prioritisation.
  2. Conduct research and analysis to compare an organisation’s enterprise risks to industry risk surveys. Identify variances or unique challenges for your organisation. Reports from the World Economic Forum are a good place to start.
  3. Work with internal leaders to agree on a risk assessment and risk governance methodology. This should include probability and impact the risk rating criteria. It can also be the foundation of the risk target operating model that guides internal risk processes.
  4. Identify key leaders within the organisation and allocate time to get their feedback on risks and prioritisation as well as risk probability and impact. Consider creating an Executive Steering Committee that meets quarterly and a Security & Risk subcommittee that meets monthly. Collaboration is essential for success. This structure creates an ongoing internal framework for strong risk preparedness and response.
  5. Present risk assessment results to executives to finalise the top risks and assign risk owners. The foundation of the security programme is to align with and protect the business. Security and risk managers must be business-aligned.  Assigning executive risk owners also provides clarity and top-down responsibility for critical risk priorities.
  6. Work with executive risk owners to identify mitigation activities for the top 10 risks. Too many known risks go unresolved. It is often these known vulnerabilities that cause harm to the business. Identifying key assets and vulnerabilities is critical, but there must be a remediation plan to ensure the risk is properly controlled.

Understanding risk based on this type of holistic business-focused calculus not only serves as a guiding principle for cybersecurity strategies, but it also becomes essential as organisations build out their business continuity, disaster recovery and crisis management playbooks.

Oversight of cybersecurity may be led by the CISO, but it should be a critical cornerstone of overall risk management. This requires a governance structure to serve as the support mechanism to steer the risk program and collaboratively make critical decisions. Having cross-functional support greatly helps in justifying policy change, budget, and drives the company risk culture required to be successful. Without a solid internal collaborative structure, organisations will have trouble building any success. Smart risk management policy and internal coordination are the foundation to prepare for unexpected risks.

By Adam Palmer, Chief Cybersecurity Strategist, Tenable

Advertisment