Recent studies exposed a massive misalignment between security spending and the actual cause of cyber breaches. Two-thirds of breaches are caused by someone either doing what they shouldn’t or failing to do what they should, yet three-fourths of security spending is on information technology solutions while only one percent is spent on human capital solutions.
Technical solutions are critical, of course, but effective cybersecurity risk mitigation involves more than simply deploying the latest technology. The findings suggest that a greater focus on putting the right people, policy, and processes in place would dramatically reduce cyber risk. Unfortunately, cyber risk governance (CRG) is missing in most organizations, which leaves them more vulnerable to attacks.
A key part of CRG involves raising the level of cyber awareness and responsibility throughout the organization. SANS Institute recently found that cybersecurity awareness programs are gaining in popularity, yet they are often held back by the lack of time, budget, and resources being applied to them. This illustrates the challenge of cyber risk governance: it’s widely known that cyberattacks pose a massive threat, but responses are still far from adequate, if they even exist at all.
“In light of recent large breaches such as those suffered by Equifax, Yahoo, and the WannaCry ransomware attack on the NHS, and with new regulations like the EU General Data Protection Regulation throwing data protection into sharp focus, there’s a new sense of urgency around cyber security that’s stimulating both support and change. Security awareness can be challenging, but it’s necessary, and it’s worth the effort.”
Lance Spitzner, Director, SANS Security Awareness
To implement a comprehensive view of cyber risk governance, Gartner suggests taking an organization-wide integrated approach called Integrated Risk Management (IRM). John Wheeler, Gartner’s research director for Integrated Risk Management, defines it like this: “IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” He suggests that, as business processes continue to become more digital, managing cyber risk effectively requires involving multiple stakeholders, each of whom understands their unique contribution and how it interrelates to the whole.
Presented by John Wheeler at Gartner Risk and Security Summit, June 2018, © 2018 Gartner, Inc.
Not surprisingly, to engage the organization appropriately, leadership at the top is imperative. An integrated approach is just that – it permeates the entire organization. Today, cyber risk is a key enterprise risk for every organization and the single highest risk for most. As history tells us, cyber breaches can lead to massive financial losses, significant reputational damage, and even a complete shutdown of operations. While boards and executives know they own a fiduciary responsibility to manage risk, they often let accountability for cyber risk fall to technical staff because (a) they are simply unsure how to lead in this area or (b) they mistakenly believe it’s only a technical problem.
How can a business leader take the first step toward integrated risk management? At the highest level, the steps are clear – assess the current state of cyber risk organization-wide, and then begin to drive and monitor organizational improvements at an enterprise level. And you won’t have to become an expert on security technology if you base the organization’s efforts on robust standards like the Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST).
This voluntary framework [NIST CSF] consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. (image credit: N. Hanacek/NIST CSF Website)
The NIST Cybersecurity Framework was developed with input from 3,000 experts from industry, government, and academia. It provides a comprehensive benchmark for gauging cyber resilience at a 50,000-foot level, i.e. from the perspective of critical business processes without prescribing specific technical solutions. It provides a common vocabulary for executive “decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
Building out a strong IRM program involves engaging key parts of the organization. During NIST CSF development, NIST ensured that CSF was compatible with a related existing security standard, ISO 27001. Adding 27001 into your IRM strategy enables accountability for cyber resilience measures to be assigned across eight key program areas:
|Program Area||Description||Program Oversight|
|Cyber Risk Governance||Cyber Risk & Governance focuses on managing the policies, procedures, processes, and risk tolerances that enable the organization to achieve its regulatory, legal, risk, and operational requirements.||Senior Management, Board of Directors, Risk Management, General Counsel, Internal Audit|
|Asset Management||Asset Management focuses on managing the data, processes, devices, systems, and facilities that enable the organization to achieve its organizational objectives and risk strategy.||IT, Information Security|
|Access Control||Access Control focuses on managing users, processes, requirements, and devices to enable the organization to achieve its intended outcomes for limiting unauthorized access to physical and logical assets.||Information Security, IT|
|Threat & Vulnerability||Threat & Vulberability Management focuses on managing cyber threats, vulnerabilities, likelihoods, and impacts to enable the organization to effectively identify and prioritize cyber risk.||Information Security, Risk Management|
|Situational Awareness||Situational Awareness focuses on managing the detection processes and procedures to enable the organization to ensure awareness of anomalous events and unauthorized access.||Information Security, IT|
|Information Sharing||Information Sharing focuses on managing the priorities, constraints, and processes that enable the organization to achieve its organizational objectives for supply chain risk and external communication.||Procurement, Information Security, Risk Management, IT|
|Incident Response||Incident Response focuses on managing the planning, testing, responsibilities, and processes to enable the organization to achieve rapid response, recovery, and business continuity objectives.||Information Security, Risk Management, General Counsel, PR|
|Human Resources||Human Resources focuses on managing the roles, responsibilities, and awareness of personnel to enable the organization to achieve its intended outcomes for reducing internal cyber risk.||HR, Risk Management, Information Security|
All organizational advancement requires leadership and support from the top. Starting a program of integrated risk management is no different. Taking the first step requires a conscious commitment to a cyber risk governance program that will drive continuous improvements that mitigate cyber risk and align the organization around a cyber conscious culture.