Today, IT systems are crucial to the day-to-day operations of many organisations. This makes cyber security risks a significant part of organisational risk management. But where should responsibility fall?
Before we make a prognosis about where responsibility for cyber risk should lie within an organisation, let’s consider what cyber risk is.
Global consultancy firm McKinsey argues that cyber security is “only” another kind of operational risk. This is because cyber risk covers business losses of all kinds – financial, reputational, operational, productivity related, and regulatory related.
McKinsey also emphasises that cyber risks are not the same as cyber threats. Rather, cyber threats are the particular dangers – such as phishing, vulnerability exploitation or privilege escalation – that create the potential for cyber risk.
In calling for a risk-based approach to cyber security(1), the McKinsey researchers emphasise that “The reality is that some applications represent more serious vulnerabilities – and therefore greater potential risk – than others. To focus directly on risk reduction, organisations need to figure out how to move from a stance of monitoring everything to one in which particular applications with high risk potential are monitored in particular ways.”
Instead, it argues that, “Even today, ‘maturity based’ approaches to managing cyber risk are still the norm. These approaches focus on achieving a particular level of maturity by building certain capabilities.”
This results in the inefficient allocation of resources, effort and spending. And, says McKinsey “is inadequate. It can never be more than a proxy for actually measuring, managing and reducing enterprise risk.”
The consultancy company proposes a four-step journey towards cyber security excellence:
• Security not considered
• A maturity-based approach
• A risk-based approach
• Proactive cyber security
It says that, for most companies, the risk-based approach is the next stage in their cyber-security journey.
To make a risk-based approach to cyber security work, it is necessary to fully embed cyber security in the enterprise risk management framework.
This requires close collaboration between organisational risk managers, IT and the business. IT must help risk managers to understand the whole panoply of cyber threats and threat actors.
Meanwhile, risk managers must work with the business to prioritise risks, plotting them against the enterprise risk appetite and the strategic and operational importance of potentially affected systems and processes.
IT should seek to understand the processes the business regards as valuable and the risks they most worry about.
In this sense, the work of managing cyber risk cannot be solely the preserve of either IT or risk managers – it requires a whole business approach if it is to be most effective.
Having prioritised risk, risk managers must work with IT and the business to put effective risk management strategies in place.
Agreeing the strategy for each identified risk helps to ensure that resources are used most effectively. Usually, risk management will fall into one of four categories:
• Treat – typically by implementing security controls.
• Tolerate – if it falls within established risk acceptance criteria.
• Terminate – if the risk is considered too great, it may become a preferrable option to end that activity.
• Transfer – either by outsourcing or through insurance.
Here we can see why the work of risk management goes beyond the remit of IT: while IT will be responsible for implementing any cyber risk security controls, the strategic decisions on whether to terminate or outsource a particular business function will be made by the business.
It is the responsibility of risk managers to then communicate risk management throughout the organisation. Importantly, the UK’s National Cyber Security Centre(2) recommends that guidance must be “understandable by people with no formal knowledge of risk”.
As the cyber threat and regulatory landscapes change and the business systems and activities change, so will the associated risks and the way they are managed. This means the work of the risk managers, IT and the business will be an ongoing process.
Risk managers and IT must continue to work together to monitor risks to ensure they are still acceptable, review controls to ensure they remain fit for purpose, and make changes as required.
As changes are made, communication and advice for the rest of the business must be updated.
While cyber security is the preserve of IT, cyber risk requires specialist risk management techniques. For this reason, the responsibility for cyber risk rests ultimately with your risk manager.
However, risk managers must work closely with IT to deliver an effective and targeted approach to delivering cyber security.
Ultimately, this leads to greater business productivity and IT efficiency because, as McKinsey argues, “Using the risk-based approach, the company scales back controls and spending in areas where desired digital capabilities were being heavily controlled for no risk-reducing reason.”
Furthermore, if we accept that there is only a finite amount of resources in any organisation for cyber security, adopting a risk-based approach which leads to the better targeting of those resources, a demonstrably better cyber security posture and effectiveness will also result.
• Read our guide on how to create an incident response plan.
• Gain advice on how to develop an incident reporting culture within your organisation.
• Catch up with the latest data regulations with GDPR: your essential 2021 update.
• And is it time you refreshed your BCDR plans?
Assess the level of your current cyber security arrangements with the help of our 12-point security checklist. Download below: