A risk management approach is fundamentally different than the standard approach to cyber security. It requires that organizations explicitly decide on what risks to ignore – an outcome of really deciding where to focus. That is an anathema to most security folks – but that exactly is what is needed at the executive level. As the Great Recession proved it is better to explicitly manage risk than to ignore it and hope for the best.
Security, Compliance and Privacy executives need to collaborate with business executives to clearly and rigorously define the organization’s cyber risk appetite. That definition needs to become precise requirements to the technical team and provide a blueprint for the outcomes expected from them. Using those requirements, the CISO and their team need to optimize technical cyber policies, procedures and controls ensure cyber operations provide adequate defense given the business’ risk appetite and tolerances.
Managing risk is essentially an exercise in prioritization and continuous monitoring. In the aftermath of the great depression the OECD came out with a risk assessment and management framework “CORPORATE GOVERNANCE AND THE FINANCIAL CRISIS” Conclusions and emerging good practices to enhance implementation of the Principles, 24 February 2010. These guidelines can easily be translated to cyber risk – and are just as applicable:
- Effective cyber risk management is not about eliminating risk. It should ensure that risks are understood, managed and, when appropriate, communicated.
- Effective cyber risk management requires an enterprise-wide approach rather than treating each business unit individually.
- Effective cyber risk management requires business review and guidance to maintain explicit alignment of corporate strategy with cyber policies (risk-appetite and tolerance).
- Continuous cyber policy assessment should be the basis for cyber risk operations and metrics.
- Cyber risk operations must be adequately and explicitly covered by policies that provide a direct line of sight from risk appetite to controls and metrics.