Placing cyber risk in a business risk landscape

However, to process cyber risk well, we need to consider it alongside other business risks.

While we talk generally about cyber, actually the discipline is information security – within which it’s generally considered that cyber security is a significant part.  Information security being the ‘preservation of the confidentiality, integrity and availability of information’, for which there is an international standard ISO27001; and cyber security the ‘protection of information systems from unauthorised access, harm and use’.  As a rule of thumb, the subject area of information security is bounded by the topics of the controls of ISO27002.

Learn more about how Org’s Technology Transformation offering delivers consistent value here.

The objective of cyber (information) security is very simple – to prevent threats doing harm to our key information assets. 

Accordingly, the cyber risks we consider are a measure of how able threats are at harming the confidentiality, integrity or availability of our assets, with the most severe risks being those we need to address first.

While the objective of cyber security may be simple, protecting our key assets from threats is far from it…

The three components of cyber risks

Cyber risks have three components: a threat, a vulnerability and a key asset.  Applying this model generally, we harness wider definitions. For example;

• A threat may include the human susceptibility to mislay a laptop;
• A vulnerability, the lack of time we have to be mindful of phishing attacks when checking our many emails;
• Key assets, our people, key business processes and our brand.

Determining the severity of cyber risk is challenging. It requires an understanding of the capability of threats, their techniques and abilities, the effect these may have on our assets and the impact to the business that might arise should the attack be successful.

Experts are correct – cyber security is a ‘campaign’ – the protracted attrition of the constant ingenuity of threats by new methods of threat mitigation.

It is the challenge that cyber security presents, and the inherent need for experience and expertise that helps us place cyber risk quite easily within the business risk landscape.

How does cyber fit within wider business risk?

Organisations manage many risks including strategic, reputational and financial. However, it is operational, technology and compliance that most closely align with cyber.

• Operational ensures the maintenance of business capability;
• Technical, the maintenance of business systems;
• Compliance, the achievement of obligations.

It is because protecting against cyber threats is challenging, and that the challenge requires expertise and experience and the freedom to apply it, that in a good solution, the owners of operational, technology and compliance risk place requirements on cyber to deliver the outcomes they need. Cyber, in turn, delivers these, demonstrating why the required outcomes have been met.

Applying this method, the required outcomes of the owners of operational, technology and compliance obligations are met, and cyber harnesses their experience and expertise to best deliver these and other commitments. Applying this method, cyber risk and its mitigation is placed well within the business risk landscape.

About the author…

Simon Wincott is a Partner at Org, leading our global cyber security practice. 

With 30 years’ experience, Simon was initially a military officer securing information worldwide before more recently transforming cybersecurity across multiple industries, within FTSE 100 and Fortune 500 companies, including as chief information security officer. He specialises in identifying cyber security risk and delivering real-world information security transformation programmes of cyber risk mitigation and improvement.

About Org Advisory

We take a different, more human approach to Advisory. Forget off the shelf answers, we listen hard before applying deep and relevant expertise.

Across the entire transformation journey – Scoping & Planning, Implementing, Optimising, and Enabling & Benefit Realisation – we deploy our Subject Matter Experts to tackle your business challenges.

Post:

Cyber risk is integral to cyber security; it enables businesses to identify their key threats, prioritise actions against them, and better spend their allocated budget.

But to process cyber risk well, it needs to be considered alongside other business risks.

Simon Wincott has written this article about cyber risks, covering their three components and how cyber as a whole fits within the wider business risk landscape.

#MoreHumanPlease #CyberSecurity #CyberRisk