RSA has announced a new framework designed for companies to inventory and prioritize cyber risks.
As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber-risks. Since organizations can't turn the clock back on globalization, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their risk management approaches. The framework, issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, gives organizations a new way not only to factor cyber-risk into their overall risk appetite but to define the level of cyber-risk they are willing to accept in the context of their overall business strategy.
"The very fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber-risk,” said Emily Mossburg, partner, Deloitte & Touche LLP and Deloitte Advisory Cyber Risk Services Resilient Practice Leader. “Cyber-risk is an issue that exists at the intersection of business risk, regulation, and technology. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver, and then make more informed decisions."
First, organizations need to redefine the term "cyber-risk." The term extends beyond hacks, or planned attacks on information systems. While these kinds of compromises are an important part of the equation, cyber-risk encompasses a wider range of events that lead to potential of loss or harm related to technical infrastructure of the use of technology within an organization. These events could be the result of deliberately malicious attacks, such as a hacker carrying out an attack with the aim of compromising sensitive information. They could also be unintentional, such as user error that makes a system temporarily unavailable. Risk events may come from sources outside the organization, such as cybercriminals or supply chain partners, or sources inside the organization such as employees or contractors.
To effectively assess their cyber-risk appetite, the report recommends that organizations take a comprehensive inventory of these issues, quantify their potential impact and prioritize them. Organizations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public. They need to prioritize the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals), and external public facing points of interaction. Prioritization needs to be an ongoing process involving constant evaluation and re-evaluation.
The report concludes that an organization's ability to quantify cyber-risk and make informed decisions about their cyber risk appetite will put them in a position to succeed. Some costs can be easily quantified: costs that include fines, legal fees, lost productivity and mitigation remediation and incident response. Other costs can be more difficult to determine—like diminished brand equity, reduced goodwill and the loss of intellectual property. Organizations need to develop the ability to demonstrate that the investments they are making align with the risks they face.
"Cyber risk is a critical issue in today's organizations, touching aspects of business risk, regulation and technology,” said David Walter, RSA GM, Global GRC. “To effectively deal with these risks, executive decision-makers need to understand their organizations' cyber risk appetites'—balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions."
Photo © BeeBright