Here we present three techniques risk leaders are using to strike the balance between monitoring and managing cyber risks without alienating board members, senior leaders and other non-IT employees.
As cyber security becomes an increasingly important issue for companies around the world and their stakeholders – including regulators and governments – risk managers must ensure that cyber risks are both understood and monitored across the organisation.
Did you know...? For the last three years Technology has been one of the most reported emerging risks, according to industry reports, research bodies and company annual reports. Cyber space is, of course, a big part of this.
Understanding of this issue can differ greatly across teams and organisational levels, however.
While boards may have a more general understanding of cyber security, for example from reading about cyber-attacks in the news, internal IT experts will be very well versed in potential threats, risks and impacts for the firm from things like malware or phishing scams.
Risk managers can bridge the knowledge gap across their business by using effective and easy-to-understand tools that provide an accurate but concise picture of how cyber may impact a business and how this kind of risk is managed within the enterprise risk management framework.
At a recent Risk Leadership Network member meeting on assessing cyber risk, a risk leader from the energy industry presented the cyber security analysis approach they have developed and used at their organisation, and benchmarked it against approaches used by others.
Using semi-quantitative risk analysis (SQRA), they have been able to establish a more nuanced way to examine cyber security and relate the issue to the existing corporate risk profile and controls.
We’ve pulled out three steps members agree can help push for better cross-organisational understanding and management of cyber risks.
1) Get the board on board
Some board members will inevitably be more well-versed in cyber risk than others. They can struggle to understand their own appetite versus the cyber risks the organisation is actually facing.
Similarly, few members are unlikely to have as high a level of expertise in this area as IT professionals. That’s why it’s important to ensure that any communications with the board on cyber risk are not only accurate, but clear and concise.
Members agree that introducing cyber security to the board in line with how other risks are presented - financial, environmental etc. – helps provide a clearer understanding of where cyber security risk sits in relation to the overall risk profile of the company. (Click here to read about the visuals risk leaders are using to report enterprise risks to their boards.)
Simplifying the risk taxonomy presented to the board into four of five key risks has also proved effective for members to overcome this challenge too.
2) Use SQRA to contextualise cyber risks vs threats
Members in our network have shared with each other how they have used semi-quantitative risk analysis (SQRA). It has empowered them to capture the detailed information of an individual cyber security risk, before quantifying it and putting it into context alongside the corporate risk profile.
Rather than obsessing over the number of cyber threats - phishing emails received, but not opened, for example - SQRA shows the probability of impact for the organisation and the steps it would take to actually experience that impact (as well as helping to arrive at the mitigation steps the organisation needs to take to respond to these threats).
3) Find the right tools and data to monitor cyber threats
These will differ depending on the company, but common examples of useful tools and data include employee reporting of suspicious emails; an increased frequency of suspicious emails; and programmes that detect attempted bot attacks.
Most organisations have large amounts of data on record, and the SQRA approach allows you to put a lens of actual risks over your cyber threat activators – and ultimately set the right key risk indicators to monitor your controls.
You can read more about our resilience and risk culture content here.