Managing cyberrisk is critically important for organizations. Interconnectedness, digitization, the focus on utilizing data and providing enhanced client experiences expand the attack surface and expose an organization to increased cyberrisk. I cannot think of a worse experience for a board member than to be told (or to read in a newspaper) that the organization’s client database has been leaked online, that a significant amount of money was stolen or that the organization cannot operate because all the servers have been locked up with ransomware. No organization can be 100% secure, and bad events will happen. There are, however, practical steps that can be taken to reduce the risk of a cyberevent happening and, when it does happen, to recover the organization to the same state as before the event.
The difficult question is where to start managing cyberrisk, especially if the organization is not yet focused on cyber. I would advise against just jumping in and start implementing cyberactions. The most important task to start with in my view is to create a cyberresilience program with executive support. This task can be quite difficult, but without executive support, a vehicle for all the tasks that must be done and a report to keep the board informed of the cyberjourney, cyberrisk management will be dead in the water, and the organization will just be waiting to become a victim of a cyberattack. This becomes more difficult especially in organizations that have not experienced a cyberevent. I will not be surprised if there are many organizations where the extent of cyberrisk management is a technical team buried in the IT department that focuses on hardware and security settings.
Although I mention it in my Journal article, I recommend doing a current-state cyberrisk assessment first. Procure the services of a respectable external consulting firm to do the assessment. Openness, transparency and honesty are the keywords for this step. The cyberpractitioner will know many of the things that are not in place in the organization and should provide that information to the assessment team. Once the attention and commitment of the board has been obtained with an external report, the next step is to create a cyberresilience program. In this step, focus on ranking the items discussed in my article over a period of 2 or 3 years. It will not be possible to do everything in year 1 as it will be too expensive, and the resources will not be immediately available to address everything in one go.
It is very important that the board understand cyberrisk; therefore, implementing board reporting and promoting executive awareness should be high in priority of the 3-year plan. It does not matter if the first report has lots of red items. The more informed the board is—especially board members from the business lines and, more importantly, if they understand the impact that a cyberevent can have on their organizations—the greater the chance will be of obtaining resources to implement the cyberplan. The board report is probably one of the most important tools a cyberpractitioner has and should be utilized effectively to manage cyberrisk and to describe the cyberjourney to the board. I am of the opinion that an organization should not attempt to describe the end-goal for cyber, but rather to describe the journey and that the right actions are being taken along the journey to reduce cyberrisk. The next step is to adopt a cybermaturity framework against which to measure the organization internally. Armed with these tools, the other steps in my article can be mapped out and implemented, e.g., identifying the crown jewels, threat modelling, determining if controls are adequate to protect critical points along the kill chain, red team testing, etc., and each item that is implemented will improve the organization’s cybermaturity.
Read Jaco Cloete’s recent Journal article:
“Practical Cyberrisk Management,” ISACA Journal, volume 3, 2019.