SlideShare a Scribd company logo

Cyber Management vfd

Download as DOCX, PDF
Ladd Muzzy
Ladd Muzzy
1 of 12
Page 1 of 12 How Does Cyber Effectthe Risk Profile ofthe Organization? Cyberriskhas become anincreasinglychallengingrisktounderstandandmanage. The proliferationof technologycontinuestoforce organizations toadapttheirriskmanagementphilosophiestothiseverpresent, everchangingrisk. Aslongas organizationscontinue toadoptnew technologies,theyautomaticallyincrease newcyberand informationtechnologythreats. Organizationscanthwartthese threats,simplify informationsecurity, andreduce the burdenof regulatory compliance by adaptingthe riskmanagementprocess. A more dynamicand holisticapproachshouldbe developedwhereestablishedcommunicationmechanismscanensure thatthreatsare addressedinreal time and understoodbyabroad range of interestedstakeholders.Moreover, utilizingaGRC technology solution that’sable to centralize dataandlinkcyberthreatswiththe otherrisks isimportantto provide evidence that the program isin place,beingsustained,andproducinghighqualityoutput. Thisscalingof riskmanagement won’tjustmake your organizationsafer,itwillalsohelpinformandenhance businessdecisions. Studies1,2 continue toshowthatcybersecurity remainsatop concernfor organizations’informationsecurity executives. Forexample,inone study,76%of the respondentssaidtheywere concernedaboutcybersecurity threats,upnearly30% fromthe year prior.3 The occurrence of cyberincidents isup,where nearly 80%4 had detectedasecurityincidentinthe lasttwelvemonths. Employeesare alsocontributingtothis. Inanothersurveyexample,more thanhalf5 saythat theylackthe skilledresourcestosubstantiateinformationsecurity’scontributionandvalue. Organizationsare struggling withhowto integrate thissubjectwiththe broaderorganizational riskmanagementprocessesandgovernance standards. Perhapsthisisa result of the use and proliferationof technologybyusall. The businessandinformation securityhave continuallyusedtechnologyasameansto create efficiencies,buildincontrols,share information,etc. Customerstooare constantlysearchingforandadoptingtechnologytomake theirlives easier,more efficient,andfaster. This isonlyexpectedtoincrease (see Figure 1). Figure 1 Year 2003 2015 2020 WorldPopulation6 6.3 Billion 7.3 Billion 7.8 Billion ConnectedDevices7 500,000,0008 4,900,000,000 20,800,000,000 ConnectedDevicesPer Person 0.08 0.67 2.7 1 EY’s 2015 Global Information Security Survey: 1,755 CIOs,CISOs,c-level,and information security executives from 67 countries 2 PwC’s 2015 US State of Cybercrime Survey 3 Ibid 4 Ibid 5 EY’s 2015 Global Information Security Survey 6 Data.worldbank.org 7 Gartner Research; http://www.gartner.com/newsroom/id/3165317 8 Cisco Internet Business Solutions Group (IBSG), “The Internet of Things,How the Next Evolution of the Internet is ChangingEverything,” DaleEvans, April 2011, http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
Page 2 of 12 The cyber threatisreal. There have beennumerousexampleswhere cybersecurityhascome intoquestion. Breachesat companieslike Target,Sony,andAshleyMadison,toname a few,have caughtnational headlines. Resultsinclude reparationsinthe millionsof dollars,thousandsof identitiesbeingstolen,shareholdervalue lostinthe billions,andcorporate reputationstarnished. Questionsare startingtoarise fromregulatory agencies,advocacygroups, counsel,andcustomersof whatorganizationsare doingtomanage these risks. In response,organizationsare lookingmore closely atcyberriskand itsfitwithintheirGovernance,Risk,and Compliance (GRC) frameworkandtools. Top Downv. BottomUp There are twoapproacheswhenmanagingriskinthe context of exposures(e.g.,cyberrisk) –(1) top down, and (2) bottomup. Althoughthese twoshouldnaturallymarryandprovide clearlinkages,theyoftenrunin parallel andcreate philosophical argumentsonwhichisbetter. Forexample,below isabrief list of the pros and consof tacklingthe subjectfroma top downpointof view: Pros  Executive led  Clearsupportfromthe top  Internal/External sharingof informationacross the organization  Consistentcommunication  Commontaxonomyandprocess  Alignmentacrossthe lines-of-defense  Alignmentwiththe cadence of the business (e.g.,planning,budgeting) Cons  Unique businessactivitiesnotnecessarily accountedfor  Risksaddressedinisolation  All risksseenascritical (lackof prioritization)  No economiesof scope andscale in management/action  Lack of cleartie to organizational riskappetite and tolerance levels  Unclearlinkto processes A similarsetcouldbe createdfromthe opposite perspective. Cyberriskis a bitunique andshouldbe evaluated9 slightlydifferentlyinthe contextof the riskmanagement processesusedtounderstandandmanage it. On the one hand,experience hasshownthatitcan have both a significantfinancial andnon-financial impactonthe organization,makingit potentially one of the toprisksto the organization. However, cyber-attackshappenwithsuchfrequency10 thatit’stypicallydepictedinthe top rightcorner of a traditional heatmap (see illustrative heatmapbelow),withthe onlyvariabilitybeingthe assessmentinthe impact(forexample,atypical riskassessmentprocesswill be the likelihoodof occurrence overa year period – whichissetto alignwithstrategicplanningandbudgetingprocesses): 9 The evaluation of risk typically occursfroman inherent (or absent controls) and a residual (with controls and management activities in place) basis 10 Norse Corporation Map; map.norsecorp.com; example showingevidence over an hour on a non-descriptday when over 10,000 attacks hitthe US from all over the world,4,000 from China alone
Page 3 of 12 InherentRiskAssessment Residual RiskAssessment Dependingonthe tolerance level(denotedbythe line (lookslike steps) inthe heatmapgraphsabove) of the risk,actionwill be requiredtomitigate and/ormanage the riskwithsome diligence. Evaluatingthe Efficacyof the RiskManagementProcess Evaluatingcyberriskinthe contextof otherrisksis one of necessitytoinformthe riskprofile,orthe aggregatedexposure level of the company’sportfolioof risks.Asthe above example shows,cyberrisk managementshould,ataminimum,justifyaformal review forcreatingabespoke processtoevaluate its effectsonthe organization. The process starts withthe identificationof cyberrisks. Thisrequiresnotonlyanunderstandingof the risks facingthe organizationitselfbutalsoitscustomers,vendors,andotherthirdparties. One onlyhastolookto recentpublications forexamples. Inone,hackershadbreachedacompany’scomputersystemsand compromisedthe personal dataof 1.5 millioncustomersresultinginthe exposure of 1.1millionsocial security numbers. Thisstolendatawasusedto create fake debitcards that were usedto withdrawal more than$9 millionfromautomatedtellermachinesworldwide. Otherexamplesinclude phishingtechniques,Telephone Denial of Service (TDoS) andDistributedDenial of Service (DDoS) attacks,ATMskimmingandPoint-of-Sales (PoS) schemes,malwareon mobile devices,and the infiltrationandexploitationof organizational supply chains. Regardlessof the medium,the identificationof cyberriskrequiresexpertise andthe involvementof informationtechnology. However,understandingthe impactrequires investigationand collaboration. The identificationof cyberriskisnotany differentthanwhatwouldbe usedtoidentifyotherrisksthatmay impactthe organization. Cyberriskisprimarilyfocusedonthe informationalandtechnological operational risks,butincludespeopleandfacilitiesshouldtheysupportinformationandtechnologyassets. Inorderto be effective,risksmustbe definedinsuchawaythat it allowsforthe aggregationanddisaggregationof the topic. As we sawfrom the previous paragraph,cyber(the mostbroadlydefined) riskmightbe brokendownintotwo or three sub-categories. A sub-categorymightbe malware withfurtherdefinitionsunderthatsuchas Trojan horses,worms,viruses,etc. Definingthe libraryof riskinthisfashioncreatesgreatertransparencyintothe causesof the riskand can assistindefiningwherethe riskmayreside withinbusinessprocesses. Italsoacts as a meansto clearlydefine coursesof action,investmentsincontrols,andmetricstodetermine theirefficacyon reducingthe risk’sexposure. Nowthat the cyberrisk categorycan be brokendownto itsmore specificparts,the assessmentbegins. Executionof the assessmentrequiresthe informationtechnologyexpertstoworkcollaborativelywiththe business. Thisnecessitatesthe informationtechnologyandsecurityguysandgirlshavingabetter understandingof the keybusinessprocessesdrivingthe growthandprofitabilityof the organization. Itis Likelihood Impact Likelihood Impact
Page 4 of 12 unreasonable toexpectthe business,those doingthe day-to-dayactivities, tohave the knowledge of how frequentlycyber-attacksoccurnorhave an indicationof the extentof damage theycouldinflict. Viewingitin thiscontexthelpswiththe prioritizationof cyberriskinrelationtootherrisks facingthe organization. Moreover,thisprioritizationhelpswithdeterminingthe investmentsrequiredtothwartanyexposure through the allocationof capital andemployees’time. Anotherimportantfacetinhelpingtoevaluatethe assessmentof cyber riskisthe linktothe company’s BusinessImpactAssessment(BIA). The BIA providesthe insightinto the consequencesof adisruptiontothe business’functionsandprocesses. The evaluationof the systemsandtechnologiesare alsoincludedaspart of thisprocess – the impact,timing,anddurationof a disruption. The resultisaprioritizationof the company’s assetsbytheircriticalitytothe business’operationsandthe needtohave themavailabletoexecute critical processes. Cyber-attacksonthe organizationmayfocusonthe vulnerabilitiesof these assets. The information securityprofessionalscanuse the GRC technologytotake the BIA,compare that tothe cyberthreats,anduse that as anotherbasisforconcludingthe overall assessmentof the risk. It isalso essentialtoclearlyarticulate whatthe cyberprofilewilllooklike. Thismayresultina completely differentlookingheat map,where the company’sconservatismof addressingcyberriskshowingmore harmful (e.g., redandorange squares) areas. Additionally,the tolerance level mayvaryaswell,movingdown,for example,toaddress the reducedtolerance forthe risk’soccurrence andseverity. Anothermodificationmaybe inclearlyarticulatinglikelihoodandimpactparameters. Inthe eventof cyber risk,the likelihoodof occurrence mayneedtobe definedasthe likelihoodof occurrence overaweek’speriod (or at leastsomethinglessthanayear!). Riskslike cyber,andfraudfor financial servicescompanies,occur withsuchfrequencythatriskmanagementfunctionsare exploringhow tomodifytheirassessment methodologytobe more relevanttoaparticularrisk’soccurrence. Incontrast, riskssuchas natural disasters, classaction lawsuits,andmis-sellingoccurwithmuchlessfrequency. Asa result,havingaprocessthat reflects these variablescangreatlyimprove the understandingof the riskprofile,allocationof resources,andcapital expendituresforcontrols. Moreover,the definitionof impactalsoneedsexploring. Isitdefinedasthe impactshouldthe riskoccur?Or the expectedimpact(independentof the likelihood)? The nature of cybereventsalsoshoulddictate assessing the impact onboth a quantitative (financial)andqualitative (reputation) perspective. These simplequestions and reflectiononthe processmayresultin amore meaningful andvaluableinformationsecurityassessment. Most organizationswithmature riskmanagementpracticesofferimpactassessmentscalesonbotha quantitative andqualitativescale. Althoughthe qualitative scale lacksthe rigorandmeasurementneededto helpsubstantiate howthe riskprofile ischanging,itenablesthose withlessknowledgetoevaluate criticalityin areas like reputationorwhenthe riskissomethingthathasn’tbeenexperiencedbythe organizationinthe past. Scenariosare a good example, where stresstestingorhypothesesare bornto understandthe effectsof adverse conditionsonthe organization’sproducts/services,assets,andoperations. These factorsare discussedfurtherinreporting. Anotherconsiderationtogive istohave a technique that’sreflectiveof the rate that whichcybereventsmay occur. It may be worthwhile to analyze the risk fromanactuarial approachwhere modelingisusedtodefine frequency(e.g.,aPoisson distribution) andseverity (LogNormal,Weibull, Gamma,Pareto,etc.). Thiscan produce a VaR (Value atRisk) atvaryingconfidence intervals. The evaluationof cyberexposureshasbeenmade easierthroughthe incorporationof technology. Leading practice dictatesutilizingexternal feedstoassistinthe indicationof acyberthreatand utilizinghistory,
Page 5 of 12 knowledge,andalgorithmstopredictthe potential severity. However,the data comingin frominternal sources and external, disparate vendorscanbe overwhelming. UtilizingaGRC solutionthatincorporatesall internal andexternal datafeedsintoasingle platformmakesdecipheringthe datathatmuch simpler. Italso enablesthe business tosynchronizeitscontrol environmentwiththe impactof cyberrisk events. Onlythen can informationsecurityweighthe myriadof alerts,translatethemintothe organization’sprocessesand profile,anddevelopthe meanstoaddressthe mostsalientexposures. Moreover,beingable totie the resultsof these processintobusinessrequirementsistantamounttodriving relevancyandvalue. The simplestexample of thisislinkingthe risks tothe businesscontinuityandresiliency plans,as well asthe businessimpactassessmentsthatare beingperformed. Throughthisprocess,critical activitiesandsupportingsystemsare enumerated. Once again,havingaGRC technologythatisable touse that informationandpull itintothe analysisof cyberthreatshelptomarrycritical applications/technology usedbythe businesswiththe risks. Onlythencanthe business,incollaborationwithinformationsecurity, make informeddecisionsof whether,andhow,totreatthe threatsimpactingthe mostcritical operationsof the organization. This,once again,helpswithdetermininghow tospendpreciouscapital andoptimally allocate resources. Anotherfacetof managingcyberriskis inthe securityassessment. Thisisakinto the typical monitorphase in a typical risk managementprocess. Inthiscase,we wantto explicitlyreview whetherthe implementationof controlsand/ormanagementactivitieshave occurred andgainevidence thattheyare inplace and workingas intended. A GRC solutioncanenable the capture,storage,andminingof thisdataas evidence. Moreover,the informationandconclusionscanlinkwithotherGRCsolutions(e.g.,operational risk,compliance,audit), asan integratedGRCplatform, toprovide amore holisticpicture of the riskprofile. Cyber,althoughrequiringsome evaluationof how tocustomize itto the organization’sriskframework,still reliesonthe principlesestablishedthroughotherriskdisciplineslike operationalrisk. Infact,Basel,whichacts as central bankwithinthe financial servicessector, considerssystemspartof the operational riskdefinition.11 Thisshouldnecessitatehavingcyberbe anexplicitpartof the operational riskprofilediscussion. In fact,leadingpractice dictateshavingasingle subject discussionbe partof the quarterlyupdate tothe Board of Directorsandthe executive committee(includingthe riskcommittee) forriskscarryingapotentially significantimpactonthe organization. Cyber shouldbe partof the cadence inthisprocess. Thisischallenging to do efficientlygiventhe brevityof certainrisktopicsonthe agenda (see the reportingsectionbelow). Moreover,cyber,dependingonthe organizationanditscontrol structure,maynotevenrise asone of the mostsignificantrisks. Also,asanexecutive,myknowledgeof the pervasivenessof attacksnorthe potential damage theymay incurwill notbe widelyknown. Thisisbecause there isacognitive biasbythose presenting and managinginformationsecurityto portraya betterthanaverage managementandcontrol environment. It isthese individualswhose job,performance,andincentive structure istoprotectthe organizationfromcyber threats. What incentive isthere topresenta“doomand gloom”picture? Thisis where the robustnessof the riskmanagementprocesscomesintoplay. Notonlyshouldthere have beenaneffective challenge bythe secondline andthe CRO,butsubstantiatedthroughaudit. The Boardand executivesare lookingforanunderstandingof how riskisaffectingprofitability,soexplainingthe severityof the riskin as quantitative termsaspossible isaplus. Remembertoothatcyberrisk doesnothave independenteffects. It’snotjustthe technologythatmusttake focus,butthe precipitationof implicationsonthe underlyingprocessesandhumaninterventionactivities. 11 Bank for International Settlements, ConsultativeDocument on Operational Risk,January 2001,p.2
Page 6 of 12 Cyberisdesignedtoidentifyandtake advantage of weaknessesinthe technology infrastructure and overarchingbusinessactivities. Ineachcase,the underlyingorganizationalprocessiscalledintoquestion –is it designedappropriately?Canitbe structureddifferently?Cana bettersetof controls be developedand implemented? Technologyobviouslyplaysahuge role here asthe controlsare predominatelysystemfocused. Moreover,itshould require engagingthe businessaswell for abroaderview of lookingatthe processfrom end-to-end. Inthisexample,thismayincludethirdandfourthpartyvendors/subcontractorsandverification proceduresforcustomeraccessto organizational systems. GRC technologycanhelpinthiseffortaswell. LeadingGRCsolutionshave the abilitytotie the riskand control informationbacktokeyvalue chainprocesses. Thismakescausal analysismuchsimplerbycreatingworkflows that identify the processespieceswhere risksare likelytooccuror where controlsare deficientleadingto indicatorsof potential exposures(e.g.,the creationandmonitoringof KeyRiskIndicators(KRIs)). Thisenables boththe businessandsecondline of defense tounderstandwhere breakdownsare occurringandcreate a tactical planforwardto addressthe exposure. The linkage of cyberthreatsto otherrisksand operationscallsintoquestionthe efficacyof the organization’s businesscontinuityandresilience plans. Thisisbecause acyberevent(s) cansuspendordisruptnormal businessoperations. Giventhe varyingnature of cyberrisks,are employeesaware of how theymayunsettle theiractivities,systems,andcustomers? Moreover,cyberrisksare always evolving,sodetectingtheir occurrence and understandingthe magnitude of potentialdisruptionrequiresongoingeducationand partnership betweenthe business,externalconstituents(likevendors),and withinformationsecurity. CorrelationandDiversification Risksare rarelyindependent;theycorrelatewithone another. It’stherefore critical tounderstand the upand downstreameffectsof howa risk’soccurrence affectsthe value chain. Thisnotonlyincludeshow otherrisks may occur, buthow the snowballingeffectsof severitycanmount. One organizationsufferedadistributed denial of service attackonitswebsite disablingitscustomersfromtraditional servicesithadbecome accustomedto – in thisexample bill pay. The organization’ssystems andinfrastructure wasnotpreparedfor the attack. Duplicate paymentswere made, resultinginoverdraftfees, andsome paymentsweren’tmade at all. Dissatisfiedcustomersusedsocial mediatovoice theirfrustrationswiththe companyalmostinstantly. Moreover,because call centersweren’tpreparedwithascriptorknowledge of how torespondtocustomer concerns,customers’ inquirieswere leftunanswered. The organizationhadtodosome repair; reimbursing paymentsanderroneouscharges,letters(stampcosts) tocustomers,increased control and securityputon theirfirewallsandservers,andapublicapology. The immediatefinancial impactwasn’t thatsignificant. However,the reputationimpactandlostrevenuefromexistingandpotential futurecustomerswascalculated inthe hundredsof thousands. The aggregatinglinkage of riskalsoproducessimilareffectson the managementof risk. Controlstakenbyone part of the organizationmaybenefitotherareasaswell. Thisis particularlytrue withcyberriskwhere asingle control investmentwillbenefitmultiple businesses. Forexample,there are aplethoraof vendorsofferingscanningcapabilitiesfor cyberthreats. These vary dependingonthe threat,where anorganizationmayhave multiple subscriptions. GRCtechnologiesofferawayto synthesize these feedsintoasingle source, applyalgorithmstoassesstheirimpact,andprovide amechanismforprioritizationandaction. Viewingriskacrossthe value chainalsobringseconomiesof scope andscale. The one-to-manyrelationshipof risksto correspondingcontrolsyieldsinsightwhere there maybe inefficienciesinmanagementactionand/or controls. The prevailingmindsetinmostorganizations,isthatriskisbad andneedstobe controlled. Thisis
Page 7 of 12 exacerbatedbythe pervasiveriskmanagementstructure andgovernance where riskistackled insilos. This produceslayeruponlayer of controlsto addressa risk,whichcan onlybe seenwhenthe riskisviewed holistically,frombacktofrontoffice, systemstoprocesses, toanycustomers,andpotential implicationsto3rd parties. Sustainable execution toriskmanagementischallenging,resource,andcapital intensive if the analysisisdone for every riskthe organizationfaces. Leadingpractice dictatesperformingthe analysisonthe critical aspects drivingthe growthof the organization. We’ve all heardthe mantraof “tying risksto objectives.” Thisstill applies,butmustbe done inthe contextof the organization’smostsalientrisks. Derivingthe mostpertinent riskscan be accomplishedbyevaluatingrisksagainstthe organization’s keystrategiesandinitiatives. Thisisan essential partof the assessmentprocess. Cyberhowever,isnotalwaysgivenitsdue creditinthisprocess,probablybecause the potential significant financial andreputationimpactisnotalwaystransparent norhow itcan be tied to the organization’sgoals. Some risks,like cyber,cangetintothe mire of the universe of risksthatinfluence objective settingand execution. Vague,broadobjectivessuchas“grow the customerbase by x%”or “diversifyproductofferings” may notnecessarilytake intoaccountrisktopicslike cyberwhere,inourexamples,adatabreachthat siphons customerdata. Customerdistrustandbranderosionmaydisturbanywell laidcorporate plan. It isonlywhenthese objectivesare codifiedthatthe riskdiscussioncanbegin. Detailinghow the objectives will be metshouldforce adiscussionaboutrisk. Forexample,one manufacturingorganizationexplicitly includesthe identification,assessment,andtreatmentof riskaspart of its strategicplanning. Thishelpsto raise awareness,spurdiscussion,andbringconsensusabouthow the organizationwantstotreata particular objective threateningrisksothatcapital and resourcescanbe properlyallocatedduringbudgeting. Digital Literacy The common threadthroughthe successof an effective cyberriskmanagementframeworkisdigitalliteracy. Educationisa staple forunderstandingand addressingcyberrisk. Thisispredominatelyaresultof the rapid developmentanduse of technologyto make thingsmore efficient,effective,andfaster. Cybercriminalsare constantlylookingforwaystoexploitthisproliferationof software andtechnologyforcinginformation technologistsandconsumerstobe consciousof how theiractionsmaybe lendingthemselves tocyberrisks. We have already touchedon the needforinformationsecuritytointegrate andbecome astrongerpartner withthe business. Educatingandtrainingthe informationsecurityandtechnologyfunctiononbusiness processesenables amore fluiddiscussiononcyberexposuresandthe implicationsonbusinessprocesses. Plus,educatingthe businessonthe typesof cyberrisksmayhelpinthe identificationof events. Although there are feedscomingintothe organizationaboutexposures,butaswe’ve seen,thereare ancillarysignsof concernsuch as TDoS, segregationof dutiesforcustomerverification,etc. Spottingthese signsanddeveloping appropriate andtimelyescalationprocedurescanresultinearlymitigationstrategieseitherstoppingor reducingthe likelihoodof financial,data,orreputationloss. Employeesaren’tthe onlyoneswhowouldbenefitfromtrainingandeducation. Customerswilltoo. The presshas done a goodjob of publicizing,forexample, topicslike identitytheft,butthere isanimplicit assumptionthatconsumers have thatorganizationsare well controlledandfinancial andpersonalinformation ishighlysecure. Organizationscanbe more proactive byeducatingtheircustomersonthe controlsnecessary to circumventcyberrisk. One commonexample of thisistwostepverificationwhere customersprovide two piecesof informationthatsecurestheiridentity. Thismayinclude requirementsforstrongpasswordsaswell as textmessagingof codesforfinal authentication. These controlsnotonlybenefitthe organization,butthe
Page 8 of 12 customeras well. Itaddsextrastepsinthe control structure andcustomersneedanunderstandingtowhy there isa heightenedlevel of control necessary. Thisisfrequentlymissing. Educationalsoextendstoescalation. Customers,aswell asthe business,needaclearchannel andmeansfor communicatingconcernsaboutcyberthreats. Whatare the protocolsif a potential cyberriskisidentified? Giventhe pervasivenessof cyber risk,itwouldn’tmake sense towaitforthe riskmanagementgroupto performitsriskand control assessmentprocess. The riskmayhave occurred and damage inflictedbythat time. Witha nimble riskmanagementprocess,the businesscanengage risktoevaluate cyberexposuresin real time. A GRC solution canassistthroughthe monitoringof metricsandtolerance levels. Questionsand actionscan be self-generatedthroughthe solutiontoevaluatethe needandspecificityrequiredtoaddressthe risk. Customersalsoneedameansof communicatingpossible eventssuchasphishing. Creatingamediumfor customerstocontact the organizationaboutconcernsshouldbe made simpleandeasytodo. Once informationisshared,the organizationneedsameanstofeedthe data back intothe GRC and information securitysystemsinordertoproperlyevaluate and,if appropriate,take actionagainst it. RegulatoryAttestations Complyingwithlawsandregulationshastakencenterstage inthe riskmanagementspace inrecentyears. The expectationsfromregulatorshasgrowntobe able toarticulate thatorganizationsare incontrol,that risk managementpracticesare inplace,andare sustainable. The volume of legislation seemstohave twofocuses, one on cybereffects(suchasdata protection) andthe otheron cyber itself. For example,the CybersecurityActof 2015 in the US promotesand encouragesthe private sectorandthe governmenttorapidlyandresponsiblyexchange cyberthreatinformation.12 Companiesthoughstrugglewith the bestintentionsof the governmentandthisbill. Internal generalcounselquestionthe processandits outcomes: “what’sgoingto happenwiththe informationonce it’sbeenshared?” Whatif it leaks?” “What if we are accusedof lyingtosomeone?”“Whatwill ourBoardthinkof our situation?” These are all goodand appropriate questionstoask. A cybereventintensifiesthese questionswhenitaffectscustomers. The widespreadadoptionof social medianecessitates organizationsriskmanagementpracticesbe highlynimble and flexibletorespondtoconcerns,questions,andcomplaints. Conversely,the compulsoryside ismore pressing. There are a litanyof regulationsthatfocusonthe integrity of informationsystemsandthe protectionof companyassets. Cyberriskisatthe crux of the actionsnecessary to demonstrate compliance. Forexample,regulationSystems,Compliance,andIntegrity(SCI) statesthat affectedentitiesmustestablish,maintain,andenforce writtenpoliciesandproceduresreasonablydesignedto ensure thattheirsystemshave levelsof capacity,integrity,resiliency,availability,andsecurityadequate to maintaintheiroperationalcapabilities.13 Similarly,the PCIDSS(PaymentCardIndustryDataSecurityStandard) isa setof requirementsdesignedtoensure thatall companiesthatprocess,store,ortransmitcreditcard informationmaintainasecure environment.14 Cyber-attackscanbe at the centerof disruptingorganizational objectivesof meetingthese aforementionedregulatoryexamplesandmanyothers. 12 P.L. 114-113; Division N,H.R. 2029, 114th Congress (2015-2015),www.congress.gov/bill/114th-congress/house- bill/2029/text 13 www.sec.gov/spotlight/regulation-sci.shtml 14 www.pcicomplianceguide.org/pci-faqs-2
Page 9 of 12 So howcan an organizationdemonstrate compliance? Regulatorswanttohave confidence thatthe risk managementprogramisinplace,understoodbythe organization,andshowsevidence of use,andis somethingthatissustainable. A GRC technology solution iscritical tothissuccess. Firstandforemost,the GRC technology canprovide alinkintoandhelpto disseminate the company’spoliciesandprocedures. For example,if anewcyberlaw or regulationwere tocome intoeffect,the GRCsolutioncanhelptoidentifywhich policiesandprocedureswouldbe effectedandprovide the workflow toupdate anddisseminatethem tothe organization. The technologycanprovide acentral source forthe riskmanagementmethodologyand supportingdata. It helpstoprovide the evidence thatthe governance modelisworkingand critical facetsof organizational expectationsare available anduptodate. EnablingTechnology The GRC solutionalsoactsas a foundationforthe riskmanagementprocess. Eachpart can be supportedby the solution,offeringthe enablingtoolstoexecute the process,store andevaluate the data,andreporton it. Thisnot onlyappliestothe riskmanagementprocessitself,butprovidesthe linkage tothe underlyingbusiness processesaswell bycorrelatingthe riskandcontrol data to the value chain. Thishelpstooperationalize the riskmanagementprocessmake itrelevanttothe business. The GRC’s workflowprovidesa systematicandrepeatablewaytoexecute the riskmanagementprocess. So, for riskslike cyber,itprovidesclear,andrepeatable, stepstoidentify,assess,evaluate,manage,monitor,and to reporton the risk. Moreover,as we’ve alreadydiscussed,the processcanbe made dynamicand malleable to respondat the speedatwhichcyberriskoccurs. The technologyalsoactsas a central repositoryforriskdata. This makesitpossible tomine the riskdataat any givenpointintime. Thisis powerful asitprovidesawealthof riskdatato understandthe risk,itspast,and to provide the basistoextrapolate potentialexposures. Additionally,the audittrail of riskdatasetsthe basis for changesinthe riskprofile. Usinglegacyriskdatacan demonstrate how prioractions(orinactions) totreat a risk have actuallybenefited(ordetractedfrom) the organization. Capital expendituresandresource allocationscanbe evaluatedonwhethertheymettheirobjectives. Thisputsclearaccountabilityonthe first and secondline tocollectivelyassure thatrisksare withintolerance. Metrics can alsobe createdand monitoredinreal time throughthe GRCsolution. The establishmentof Key RiskIndicators(KRIs),asan example,canbe usedto monitorwhetherriskeventsare approachingorhave breachedtolerance levels. Thiscanindicate the needforevaluationandanalysisof whethertotake actionand improve the control environment. KRIscanbe monitoredthroughcreatingbespoke dashboardsandreporting. Figure 2: Illustrative CISODashboard
Page 10 of 12 A highlyconfigurable GRCsolutionis especiallyuseful inthe managementof riskslike cyberdue tothe frequencyof theiroccurrence andthe flexibilityneeded to evaluate the exposures. GRCsolutions that require ahighdegree of codingaren’t able to provide the nimblenessof identifying,assessing,and respondingto these risksina timelyfashion. Additionally, configurabilityassistswithunderstanding the riskprofile. Creatingdashboards(see Figure 2) that are unique tothe user’s responsibilitiesprovidessnapshotsof the riskenvironmentinreal time. Thisenables the quickidentificationof issuesandareas of concernresultinginpromptresponses, mitigatingunwantedexposures. Cyber’slinkwithprocessesandpeople makesitnecessarytobe includedaspartof the operational riskprofile. Audit,initsindependentthirdline responsibilities,alsoneedstohave aclearunderstandingof how cyberis managedand controlledthroughoutthe firstand secondline. Thus,althoughthere isbenefitfromhavinga unique informationsecuritysolutiontomanage cyberrisk,the processes,findings,anddatashouldlinkacross otherGRC solutionswithinthe organization. It’sonlythenthatthere isclarityandclear linkagesonwhatthe organization’sriskprofile lookslike–there isn’tdisparityindataor outcomeswheninformationispresented intothe risk committee,auditcommittee,andthe Board. Reporting Reportingrequiresthe organizationtobe able todisaggregate ariskto itsparts. Thisis particularlytrue when reportingtoexecutives,riskandauditcommittees,andthe Boardbecause riskisusuallyaprettybroad topic on the agendaof these discussions;e.g.,operational risk,creditrisk, etc. Obviously,the organization’s industryandbusinessmodeldictatesthe lengthof risktopicdiscussions. Forfinancial services,it’stypically creditrisk;for technologycompanies,it’s information;formanufacturers,it’soperations. Regardless,riskstendtobe definedinlarge tranchesinordertoseparate the discussionandthe conclusions fromanalyses – for example,cyberriskis generally categorizedunder“systems”riskwithinoperational risk (e.g.,usingthe Basel definitionthatdefinesoperational riskasthe riskof lossfrominadequate orfailed internal processes,people,systems,orfromexternal events). However,aswe’ve seen,cyber canalsoextend to otheroperational riskcategoriesincludingthe actions(orinactions)of people,failedinternalprocesses,or fromexternal events(suchasvendoror3rd partydependencies). Asa result,it’simportanttoarticulate and provide apithyexplanationof howcyberisinterrelatedwithotherrisksinordertoprovide atrue reflecti onof the actual severity. Thisrequiresmakingsome judgmentcallsonthe diversificationeffectsof these risksand the benefitsof commoncontrolsandtheiraffectsat reducingseverity. Reportsshould alsohave a balance betweenrisk metrics, data,analysisandinterpretation,andqualitative interpretations.The balance of qualitativeversusquantitative informationwill vary. More detail andfirmer metricswill be bornthroughlowerdefinitionsof the risk. Forexample,breachesoveraperiod of time can be easilycodified,buttheiroverall effectswill requiresome judgmenttodetermine the overall impact.
Page 11 of 12 As a result,expertjudgmentmaybe needtobe usedtoaid the aggregationprocess aswell as interpreting results. Expertjudgmentcancome from multiplesources. The term“expert”canalsobe looselyapplied. Organizationswithmature riskmanagementpracticeshave beenknowntoquerynotonlyindividualswithin the organization,butalsocustomers,vendors,external audit,andcustomersto helpinformconclusionsona risk’simpact. It’simportantto note that judgmentshouldreplace data,butshouldcomplementit. Risk functionsneedtoensure thatwhenexpertjudgmentisapplied,the processbe clearlydocumentedand transparentto bringclarityandconsistencytothe process. Besidesprovidingaperspective of the past,reportsshouldalsotryandbe predictive. Organizationsneedto developforwardlookingassertions. Thisincludesrisktopicsandmeasuresthatmaysignal earlywarningsof any potential breachesof risklimitsthatmayexceedthe bank’srisktolerance/appetite.These subjectsshould bothbe withinthe organization’sexperience aswell asthose ithasn’texperienced. Lessonsfromother industries,competitors,orfromdifferentgeographiesandmarketscanbe powerful learningtools. Scenariodevelopmentisatechnique thatmaybe usedto extrapolate arisk’s effectonthe organization. Scenariosare usedto try and predicthowcertainfuture riskeventsmayimpactthe organizationincluding evaluatingthe existingmanagementandcontrol environmentaswell asevaluatingcapital expendituresto increase (ordecrease) the company’sassets. These scenariosare increasinglychallengingtodevelopwithin the contextof cyber. Involvinginformationtechnology istantamounttodevelopingarobustscenariobecause of the breadthof informationtechnologybothwithinandoutside the company. Reportingshouldalsoprovideresultsandconclusionson stresstestingwhich providessupportto forward- lookingexposures. Stresstestingappliestobothexistingandfuture riskstakingintoaccountassumptionson the risk’svariables. Examplesinclude breachesinsystems, increasesinvolume,basispointjumpsininterest rates,shrinkingorgrowingcustomerbase,ortemporaryor permanent lossof asignificantsupplier. The variabilityof the risk’sseverityshouldbe atopicfordiscussiontodetermine the efficacyof the stresstestand whetheradditional actionorcontrol maybe necessary. The culmination of thisinformationcanbe overwhelmingasevidence forthe conclusionstypicallyresultsina binderfull of data. ExecutivesandBoardsalike expectasynopsisonthe organization’stop3– 5 risks, includingimpactsonthe businessandprofitability. Actionstotreatthe exposure needtobe clearwith accountable ownersanddemonstrable benefits. Findingsandconclusions onsignificantrisks,suchascyber, shouldinclude specifictime onthe agendafromthe individual mostknowledgeable onthe subject,like the CISO. Onlythencan credibilitybe lenttothe specificityprovidedto answerany detailedqueries. The importance of havinga managementinformationsystem(MIS) thatisgearedto riskdata and managementmakesreportinglesstaxing. A challenge manyorganizationsface isidentifyingsourcesof risk data across the organization. Datanot onlycomesfromsystemsandapplications(suchasSAP,PeopleSoft, MicrosoftExcel,Access,andWord, SharePoint,etc.),butfromdisparate conversations fromcommittees, regulatorconversations,andaudit. External datafeeds (e.g.,fromthirdparties,social media,newsfeeds,etc.) alsoneed to be accountedfor. As we’ve discussed,cyberthreats canbe monitoredthroughvendorsolutions and providedto the organization. Otheritemssuchasregulatorychangescanalsobe identifiedthrough external feedsaswell. A GRCsolutionthatisgearedto handlingthe datafromthese mediumsmakesreport productionsimpler,especiallyone thatcanbe configured tothe organization’sriskmanagementmethodology, taxonomy,andprocess. Producingperiodicexecutive andboardreportisan importantpart of the process, but italsoneedstobe nimble. Cyberrisksoccurwithgreatfrequency,sohavingatool that assistsinthe evaluationof ariskscriticalityassuresthatharmful eventsare actionedsoonerratherthanlater.
Page 12 of 12 The businessandriskfunctionsare challengedwithcentralizing,automating,andmakingsense withthe aggregatedviewof the structuredand unstructureddatathat isproducedby the organization’ssystems. Leadingorganizationshave adoptedtheirGRCtoolstoautomaticallyaggregate thisdataandput itin botha riskand businesscontext. Limitedresources,increasedcompetition,andgoals tocreate turnoverhave putthe impetusonhavinga technologysolutionthatcanproduce dashboardsandreportsinreal time that enable the businesstounderstandarisk’seffectsonoperations,itspeople,systems,andcustomers. Thisassistsbusiness managementtomake informeddecisionstopreventunwantedthreats,butallow forthe capture of opportunities. In an environmentwhere technologyisdiffusingthe riskmanagementpracticesof the organization,havinga fluidriskmanagementprocesssupportedbyastrongGRC technologysolutioniscritical. Risks,suchascyber, are everevolvingandmore pervasivethanever. The abilityforthe organizationtoidentifycyberriskinreal time,evaluate itscriticality,andtotake timelyactionwillgoa longwayto assure that unwantedexposuresare dealtwitha timelymanner. Thiswill notonlyprovide confidence toexecutivesandthe Board,but demonstrate tostakeholders,suchasregulators,thatthere isa robustprocessinplace;one that is responsive, incompliance,andissustainable. GRCtechnologyenablesthisprocessbyintegratingintothe organization’s governance model,actingasa central repositoryforstoringandminingriskdata,andlinkingtothirdparty data sourcesto provide users withaneasywayto see andunderstandthe riskand control environment. This powerful enablerprovidesconfidence thatcyberexposuresare quicklyidentified,actedupon,andmitigated before manifestingthemselvesintofinancial andreputational losses. Abouttheauthor:Ladd Muzzy is a principal at Nasdaq BWise.He hasover twentyyears’ experiencein developing,implementing,and coordinating riskmanagementprograms.He hasheld seniorcorporate(Bankof Montreal,Barclays,CapitalOne) and consulting leadership risk managementpositions.Many of hisexperiencesinvolveevaluating an organization’sriskmanagementphilosophiesand currentpracticesto movethem to leading practice. Ladd can bereached at Ladd.Muzzy@nasdaq.com.To read morefrom Ladd Muzzy and ourotherGRC experts,follow uson LinkedIn: https://www.linkedin.com/company/bwise AboutNasdaq BWise:Nasdaq BWiseis a globalleader in Enterprise Governance,RiskManagementand Compliance(GRC) software.Based on a strong heritagein businessprocessmanagement,theBWise® GRC Platformprovidescompanieswithhighly-rated,proven softwaresolutionsforRiskManagement,Internal Control,InternalAudit,Compliance&Policy Management,Information Security and Sustainability Performance Management. BWise’s end-to-end solutionssupportan organization’sability to understand,track,measure,and managekey organizationalrisks.Nasdaq BWisehelpscompaniestruly bein controlby balancing performancewiththeir financialand reputationalrisks,improving corporateaccountability,increasing financial,strategicand operating efficiencies.Using BWise, organizationsareableto efficiently comply with anti-corruption regulationslike FCPA and the UKBribery Act,the Sarbanes-Oxley Act,European CorporateGovernanceCodes, ISAE3402/SAS-70, PCI-DSS,Solvency II,BaselIIand III,Dodd-Frank,ISO-standards,and many more. Nasdaq BWisehassales, service and supportofficesaround theglobeprovidefortheGRC needsof hundredsof leading companiesworldwide.Formoreinformation,visit www.bwise.com.

Recommended

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Transactional Fraud Detection A Modular Approach
Transactional Fraud Detection A Modular ApproachTransactional Fraud Detection A Modular Approach
Transactional Fraud Detection A Modular ApproachNoreen Buckley
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 

Recommended

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Transactional Fraud Detection A Modular Approach
Transactional Fraud Detection A Modular ApproachTransactional Fraud Detection A Modular Approach
Transactional Fraud Detection A Modular ApproachNoreen Buckley
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceS-RM Risk and Intelligence Consulting
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
Communication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdfCommunication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdfEnterprise Insider
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 

More Related Content

What's hot

From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 

What's hot (17)

Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven Security
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 

Similar to Cyber Management vfd

AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
Communication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdfCommunication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdfEnterprise Insider
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxSUBHI7
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docxLyndonPelletier761
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docxherminaprocter
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameTatainteractive1
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 

Similar to Cyber Management vfd (20)

AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
Communication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdfCommunication is Key to Addressing Ransomware and Extortion.pdf
Communication is Key to Addressing Ransomware and Extortion.pdf
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 

Cyber Management vfd

  • 1. Page 1 of 12 How Does Cyber Effectthe Risk Profile ofthe Organization? Cyberriskhas become anincreasinglychallengingrisktounderstandandmanage. The proliferationof technologycontinuestoforce organizations toadapttheirriskmanagementphilosophiestothiseverpresent, everchangingrisk. Aslongas organizationscontinue toadoptnew technologies,theyautomaticallyincrease newcyberand informationtechnologythreats. Organizationscanthwartthese threats,simplify informationsecurity, andreduce the burdenof regulatory compliance by adaptingthe riskmanagementprocess. A more dynamicand holisticapproachshouldbe developedwhereestablishedcommunicationmechanismscanensure thatthreatsare addressedinreal time and understoodbyabroad range of interestedstakeholders.Moreover, utilizingaGRC technology solution that’sable to centralize dataandlinkcyberthreatswiththe otherrisks isimportantto provide evidence that the program isin place,beingsustained,andproducinghighqualityoutput. Thisscalingof riskmanagement won’tjustmake your organizationsafer,itwillalsohelpinformandenhance businessdecisions. Studies1,2 continue toshowthatcybersecurity remainsatop concernfor organizations’informationsecurity executives. Forexample,inone study,76%of the respondentssaidtheywere concernedaboutcybersecurity threats,upnearly30% fromthe year prior.3 The occurrence of cyberincidents isup,where nearly 80%4 had detectedasecurityincidentinthe lasttwelvemonths. Employeesare alsocontributingtothis. Inanothersurveyexample,more thanhalf5 saythat theylackthe skilledresourcestosubstantiateinformationsecurity’scontributionandvalue. Organizationsare struggling withhowto integrate thissubjectwiththe broaderorganizational riskmanagementprocessesandgovernance standards. Perhapsthisisa result of the use and proliferationof technologybyusall. The businessandinformation securityhave continuallyusedtechnologyasameansto create efficiencies,buildincontrols,share information,etc. Customerstooare constantlysearchingforandadoptingtechnologytomake theirlives easier,more efficient,andfaster. This isonlyexpectedtoincrease (see Figure 1). Figure 1 Year 2003 2015 2020 WorldPopulation6 6.3 Billion 7.3 Billion 7.8 Billion ConnectedDevices7 500,000,0008 4,900,000,000 20,800,000,000 ConnectedDevicesPer Person 0.08 0.67 2.7 1 EY’s 2015 Global Information Security Survey: 1,755 CIOs,CISOs,c-level,and information security executives from 67 countries 2 PwC’s 2015 US State of Cybercrime Survey 3 Ibid 4 Ibid 5 EY’s 2015 Global Information Security Survey 6 Data.worldbank.org 7 Gartner Research; http://www.gartner.com/newsroom/id/3165317 8 Cisco Internet Business Solutions Group (IBSG), “The Internet of Things,How the Next Evolution of the Internet is ChangingEverything,” DaleEvans, April 2011, http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
  • 2. Page 2 of 12 The cyber threatisreal. There have beennumerousexampleswhere cybersecurityhascome intoquestion. Breachesat companieslike Target,Sony,andAshleyMadison,toname a few,have caughtnational headlines. Resultsinclude reparationsinthe millionsof dollars,thousandsof identitiesbeingstolen,shareholdervalue lostinthe billions,andcorporate reputationstarnished. Questionsare startingtoarise fromregulatory agencies,advocacygroups, counsel,andcustomersof whatorganizationsare doingtomanage these risks. In response,organizationsare lookingmore closely atcyberriskand itsfitwithintheirGovernance,Risk,and Compliance (GRC) frameworkandtools. Top Downv. BottomUp There are twoapproacheswhenmanagingriskinthe context of exposures(e.g.,cyberrisk) –(1) top down, and (2) bottomup. Althoughthese twoshouldnaturallymarryandprovide clearlinkages,theyoftenrunin parallel andcreate philosophical argumentsonwhichisbetter. Forexample,below isabrief list of the pros and consof tacklingthe subjectfroma top downpointof view: Pros  Executive led  Clearsupportfromthe top  Internal/External sharingof informationacross the organization  Consistentcommunication  Commontaxonomyandprocess  Alignmentacrossthe lines-of-defense  Alignmentwiththe cadence of the business (e.g.,planning,budgeting) Cons  Unique businessactivitiesnotnecessarily accountedfor  Risksaddressedinisolation  All risksseenascritical (lackof prioritization)  No economiesof scope andscale in management/action  Lack of cleartie to organizational riskappetite and tolerance levels  Unclearlinkto processes A similarsetcouldbe createdfromthe opposite perspective. Cyberriskis a bitunique andshouldbe evaluated9 slightlydifferentlyinthe contextof the riskmanagement processesusedtounderstandandmanage it. On the one hand,experience hasshownthatitcan have both a significantfinancial andnon-financial impactonthe organization,makingit potentially one of the toprisksto the organization. However, cyber-attackshappenwithsuchfrequency10 thatit’stypicallydepictedinthe top rightcorner of a traditional heatmap (see illustrative heatmapbelow),withthe onlyvariabilitybeingthe assessmentinthe impact(forexample,atypical riskassessmentprocesswill be the likelihoodof occurrence overa year period – whichissetto alignwithstrategicplanningandbudgetingprocesses): 9 The evaluation of risk typically occursfroman inherent (or absent controls) and a residual (with controls and management activities in place) basis 10 Norse Corporation Map; map.norsecorp.com; example showingevidence over an hour on a non-descriptday when over 10,000 attacks hitthe US from all over the world,4,000 from China alone
  • 3. Page 3 of 12 InherentRiskAssessment Residual RiskAssessment Dependingonthe tolerance level(denotedbythe line (lookslike steps) inthe heatmapgraphsabove) of the risk,actionwill be requiredtomitigate and/ormanage the riskwithsome diligence. Evaluatingthe Efficacyof the RiskManagementProcess Evaluatingcyberriskinthe contextof otherrisksis one of necessitytoinformthe riskprofile,orthe aggregatedexposure level of the company’sportfolioof risks.Asthe above example shows,cyberrisk managementshould,ataminimum,justifyaformal review forcreatingabespoke processtoevaluate its effectsonthe organization. The process starts withthe identificationof cyberrisks. Thisrequiresnotonlyanunderstandingof the risks facingthe organizationitselfbutalsoitscustomers,vendors,andotherthirdparties. One onlyhastolookto recentpublications forexamples. Inone,hackershadbreachedacompany’scomputersystemsand compromisedthe personal dataof 1.5 millioncustomersresultinginthe exposure of 1.1millionsocial security numbers. Thisstolendatawasusedto create fake debitcards that were usedto withdrawal more than$9 millionfromautomatedtellermachinesworldwide. Otherexamplesinclude phishingtechniques,Telephone Denial of Service (TDoS) andDistributedDenial of Service (DDoS) attacks,ATMskimmingandPoint-of-Sales (PoS) schemes,malwareon mobile devices,and the infiltrationandexploitationof organizational supply chains. Regardlessof the medium,the identificationof cyberriskrequiresexpertise andthe involvementof informationtechnology. However,understandingthe impactrequires investigationand collaboration. The identificationof cyberriskisnotany differentthanwhatwouldbe usedtoidentifyotherrisksthatmay impactthe organization. Cyberriskisprimarilyfocusedonthe informationalandtechnological operational risks,butincludespeopleandfacilitiesshouldtheysupportinformationandtechnologyassets. Inorderto be effective,risksmustbe definedinsuchawaythat it allowsforthe aggregationanddisaggregationof the topic. As we sawfrom the previous paragraph,cyber(the mostbroadlydefined) riskmightbe brokendownintotwo or three sub-categories. A sub-categorymightbe malware withfurtherdefinitionsunderthatsuchas Trojan horses,worms,viruses,etc. Definingthe libraryof riskinthisfashioncreatesgreatertransparencyintothe causesof the riskand can assistindefiningwherethe riskmayreside withinbusinessprocesses. Italsoacts as a meansto clearlydefine coursesof action,investmentsincontrols,andmetricstodetermine theirefficacyon reducingthe risk’sexposure. Nowthat the cyberrisk categorycan be brokendownto itsmore specificparts,the assessmentbegins. Executionof the assessmentrequiresthe informationtechnologyexpertstoworkcollaborativelywiththe business. Thisnecessitatesthe informationtechnologyandsecurityguysandgirlshavingabetter understandingof the keybusinessprocessesdrivingthe growthandprofitabilityof the organization. Itis Likelihood Impact Likelihood Impact
  • 4. Page 4 of 12 unreasonable toexpectthe business,those doingthe day-to-dayactivities, tohave the knowledge of how frequentlycyber-attacksoccurnorhave an indicationof the extentof damage theycouldinflict. Viewingitin thiscontexthelpswiththe prioritizationof cyberriskinrelationtootherrisks facingthe organization. Moreover,thisprioritizationhelpswithdeterminingthe investmentsrequiredtothwartanyexposure through the allocationof capital andemployees’time. Anotherimportantfacetinhelpingtoevaluatethe assessmentof cyber riskisthe linktothe company’s BusinessImpactAssessment(BIA). The BIA providesthe insightinto the consequencesof adisruptiontothe business’functionsandprocesses. The evaluationof the systemsandtechnologiesare alsoincludedaspart of thisprocess – the impact,timing,anddurationof a disruption. The resultisaprioritizationof the company’s assetsbytheircriticalitytothe business’operationsandthe needtohave themavailabletoexecute critical processes. Cyber-attacksonthe organizationmayfocusonthe vulnerabilitiesof these assets. The information securityprofessionalscanuse the GRC technologytotake the BIA,compare that tothe cyberthreats,anduse that as anotherbasisforconcludingthe overall assessmentof the risk. It isalso essentialtoclearlyarticulate whatthe cyberprofilewilllooklike. Thismayresultina completely differentlookingheat map,where the company’sconservatismof addressingcyberriskshowingmore harmful (e.g., redandorange squares) areas. Additionally,the tolerance level mayvaryaswell,movingdown,for example,toaddress the reducedtolerance forthe risk’soccurrence andseverity. Anothermodificationmaybe inclearlyarticulatinglikelihoodandimpactparameters. Inthe eventof cyber risk,the likelihoodof occurrence mayneedtobe definedasthe likelihoodof occurrence overaweek’speriod (or at leastsomethinglessthanayear!). Riskslike cyber,andfraudfor financial servicescompanies,occur withsuchfrequencythatriskmanagementfunctionsare exploringhow tomodifytheirassessment methodologytobe more relevanttoaparticularrisk’soccurrence. Incontrast, riskssuchas natural disasters, classaction lawsuits,andmis-sellingoccurwithmuchlessfrequency. Asa result,havingaprocessthat reflects these variablescangreatlyimprove the understandingof the riskprofile,allocationof resources,andcapital expendituresforcontrols. Moreover,the definitionof impactalsoneedsexploring. Isitdefinedasthe impactshouldthe riskoccur?Or the expectedimpact(independentof the likelihood)? The nature of cybereventsalsoshoulddictate assessing the impact onboth a quantitative (financial)andqualitative (reputation) perspective. These simplequestions and reflectiononthe processmayresultin amore meaningful andvaluableinformationsecurityassessment. Most organizationswithmature riskmanagementpracticesofferimpactassessmentscalesonbotha quantitative andqualitativescale. Althoughthe qualitative scale lacksthe rigorandmeasurementneededto helpsubstantiate howthe riskprofile ischanging,itenablesthose withlessknowledgetoevaluate criticalityin areas like reputationorwhenthe riskissomethingthathasn’tbeenexperiencedbythe organizationinthe past. Scenariosare a good example, where stresstestingorhypothesesare bornto understandthe effectsof adverse conditionsonthe organization’sproducts/services,assets,andoperations. These factorsare discussedfurtherinreporting. Anotherconsiderationtogive istohave a technique that’sreflectiveof the rate that whichcybereventsmay occur. It may be worthwhile to analyze the risk fromanactuarial approachwhere modelingisusedtodefine frequency(e.g.,aPoisson distribution) andseverity (LogNormal,Weibull, Gamma,Pareto,etc.). Thiscan produce a VaR (Value atRisk) atvaryingconfidence intervals. The evaluationof cyberexposureshasbeenmade easierthroughthe incorporationof technology. Leading practice dictatesutilizingexternal feedstoassistinthe indicationof acyberthreatand utilizinghistory,
  • 5. Page 5 of 12 knowledge,andalgorithmstopredictthe potential severity. However,the data comingin frominternal sources and external, disparate vendorscanbe overwhelming. UtilizingaGRC solutionthatincorporatesall internal andexternal datafeedsintoasingle platformmakesdecipheringthe datathatmuch simpler. Italso enablesthe business tosynchronizeitscontrol environmentwiththe impactof cyberrisk events. Onlythen can informationsecurityweighthe myriadof alerts,translatethemintothe organization’sprocessesand profile,anddevelopthe meanstoaddressthe mostsalientexposures. Moreover,beingable totie the resultsof these processintobusinessrequirementsistantamounttodriving relevancyandvalue. The simplestexample of thisislinkingthe risks tothe businesscontinuityandresiliency plans,as well asthe businessimpactassessmentsthatare beingperformed. Throughthisprocess,critical activitiesandsupportingsystemsare enumerated. Once again,havingaGRC technologythatisable touse that informationandpull itintothe analysisof cyberthreatshelptomarrycritical applications/technology usedbythe businesswiththe risks. Onlythencanthe business,incollaborationwithinformationsecurity, make informeddecisionsof whether,andhow,totreatthe threatsimpactingthe mostcritical operationsof the organization. This,once again,helpswithdetermininghow tospendpreciouscapital andoptimally allocate resources. Anotherfacetof managingcyberriskis inthe securityassessment. Thisisakinto the typical monitorphase in a typical risk managementprocess. Inthiscase,we wantto explicitlyreview whetherthe implementationof controlsand/ormanagementactivitieshave occurred andgainevidence thattheyare inplace and workingas intended. A GRC solutioncanenable the capture,storage,andminingof thisdataas evidence. Moreover,the informationandconclusionscanlinkwithotherGRCsolutions(e.g.,operational risk,compliance,audit), asan integratedGRCplatform, toprovide amore holisticpicture of the riskprofile. Cyber,althoughrequiringsome evaluationof how tocustomize itto the organization’sriskframework,still reliesonthe principlesestablishedthroughotherriskdisciplineslike operationalrisk. Infact,Basel,whichacts as central bankwithinthe financial servicessector, considerssystemspartof the operational riskdefinition.11 Thisshouldnecessitatehavingcyberbe anexplicitpartof the operational riskprofilediscussion. In fact,leadingpractice dictateshavingasingle subject discussionbe partof the quarterlyupdate tothe Board of Directorsandthe executive committee(includingthe riskcommittee) forriskscarryingapotentially significantimpactonthe organization. Cyber shouldbe partof the cadence inthisprocess. Thisischallenging to do efficientlygiventhe brevityof certainrisktopicsonthe agenda (see the reportingsectionbelow). Moreover,cyber,dependingonthe organizationanditscontrol structure,maynotevenrise asone of the mostsignificantrisks. Also,asanexecutive,myknowledgeof the pervasivenessof attacksnorthe potential damage theymay incurwill notbe widelyknown. Thisisbecause there isacognitive biasbythose presenting and managinginformationsecurityto portraya betterthanaverage managementandcontrol environment. It isthese individualswhose job,performance,andincentive structure istoprotectthe organizationfromcyber threats. What incentive isthere topresenta“doomand gloom”picture? Thisis where the robustnessof the riskmanagementprocesscomesintoplay. Notonlyshouldthere have beenaneffective challenge bythe secondline andthe CRO,butsubstantiatedthroughaudit. The Boardand executivesare lookingforanunderstandingof how riskisaffectingprofitability,soexplainingthe severityof the riskin as quantitative termsaspossible isaplus. Remembertoothatcyberrisk doesnothave independenteffects. It’snotjustthe technologythatmusttake focus,butthe precipitationof implicationsonthe underlyingprocessesandhumaninterventionactivities. 11 Bank for International Settlements, ConsultativeDocument on Operational Risk,January 2001,p.2
  • 6. Page 6 of 12 Cyberisdesignedtoidentifyandtake advantage of weaknessesinthe technology infrastructure and overarchingbusinessactivities. Ineachcase,the underlyingorganizationalprocessiscalledintoquestion –is it designedappropriately?Canitbe structureddifferently?Cana bettersetof controls be developedand implemented? Technologyobviouslyplaysahuge role here asthe controlsare predominatelysystemfocused. Moreover,itshould require engagingthe businessaswell for abroaderview of lookingatthe processfrom end-to-end. Inthisexample,thismayincludethirdandfourthpartyvendors/subcontractorsandverification proceduresforcustomeraccessto organizational systems. GRC technologycanhelpinthiseffortaswell. LeadingGRCsolutionshave the abilitytotie the riskand control informationbacktokeyvalue chainprocesses. Thismakescausal analysismuchsimplerbycreatingworkflows that identify the processespieceswhere risksare likelytooccuror where controlsare deficientleadingto indicatorsof potential exposures(e.g.,the creationandmonitoringof KeyRiskIndicators(KRIs)). Thisenables boththe businessandsecondline of defense tounderstandwhere breakdownsare occurringandcreate a tactical planforwardto addressthe exposure. The linkage of cyberthreatsto otherrisksand operationscallsintoquestionthe efficacyof the organization’s businesscontinuityandresilience plans. Thisisbecause acyberevent(s) cansuspendordisruptnormal businessoperations. Giventhe varyingnature of cyberrisks,are employeesaware of how theymayunsettle theiractivities,systems,andcustomers? Moreover,cyberrisksare always evolving,sodetectingtheir occurrence and understandingthe magnitude of potentialdisruptionrequiresongoingeducationand partnership betweenthe business,externalconstituents(likevendors),and withinformationsecurity. CorrelationandDiversification Risksare rarelyindependent;theycorrelatewithone another. It’stherefore critical tounderstand the upand downstreameffectsof howa risk’soccurrence affectsthe value chain. Thisnotonlyincludeshow otherrisks may occur, buthow the snowballingeffectsof severitycanmount. One organizationsufferedadistributed denial of service attackonitswebsite disablingitscustomersfromtraditional servicesithadbecome accustomedto – in thisexample bill pay. The organization’ssystems andinfrastructure wasnotpreparedfor the attack. Duplicate paymentswere made, resultinginoverdraftfees, andsome paymentsweren’tmade at all. Dissatisfiedcustomersusedsocial mediatovoice theirfrustrationswiththe companyalmostinstantly. Moreover,because call centersweren’tpreparedwithascriptorknowledge of how torespondtocustomer concerns,customers’ inquirieswere leftunanswered. The organizationhadtodosome repair; reimbursing paymentsanderroneouscharges,letters(stampcosts) tocustomers,increased control and securityputon theirfirewallsandservers,andapublicapology. The immediatefinancial impactwasn’t thatsignificant. However,the reputationimpactandlostrevenuefromexistingandpotential futurecustomerswascalculated inthe hundredsof thousands. The aggregatinglinkage of riskalsoproducessimilareffectson the managementof risk. Controlstakenbyone part of the organizationmaybenefitotherareasaswell. Thisis particularlytrue withcyberriskwhere asingle control investmentwillbenefitmultiple businesses. Forexample,there are aplethoraof vendorsofferingscanningcapabilitiesfor cyberthreats. These vary dependingonthe threat,where anorganizationmayhave multiple subscriptions. GRCtechnologiesofferawayto synthesize these feedsintoasingle source, applyalgorithmstoassesstheirimpact,andprovide amechanismforprioritizationandaction. Viewingriskacrossthe value chainalsobringseconomiesof scope andscale. The one-to-manyrelationshipof risksto correspondingcontrolsyieldsinsightwhere there maybe inefficienciesinmanagementactionand/or controls. The prevailingmindsetinmostorganizations,isthatriskisbad andneedstobe controlled. Thisis
  • 7. Page 7 of 12 exacerbatedbythe pervasiveriskmanagementstructure andgovernance where riskistackled insilos. This produceslayeruponlayer of controlsto addressa risk,whichcan onlybe seenwhenthe riskisviewed holistically,frombacktofrontoffice, systemstoprocesses, toanycustomers,andpotential implicationsto3rd parties. Sustainable execution toriskmanagementischallenging,resource,andcapital intensive if the analysisisdone for every riskthe organizationfaces. Leadingpractice dictatesperformingthe analysisonthe critical aspects drivingthe growthof the organization. We’ve all heardthe mantraof “tying risksto objectives.” Thisstill applies,butmustbe done inthe contextof the organization’smostsalientrisks. Derivingthe mostpertinent riskscan be accomplishedbyevaluatingrisksagainstthe organization’s keystrategiesandinitiatives. Thisisan essential partof the assessmentprocess. Cyberhowever,isnotalwaysgivenitsdue creditinthisprocess,probablybecause the potential significant financial andreputationimpactisnotalwaystransparent norhow itcan be tied to the organization’sgoals. Some risks,like cyber,cangetintothe mire of the universe of risksthatinfluence objective settingand execution. Vague,broadobjectivessuchas“grow the customerbase by x%”or “diversifyproductofferings” may notnecessarilytake intoaccountrisktopicslike cyberwhere,inourexamples,adatabreachthat siphons customerdata. Customerdistrustandbranderosionmaydisturbanywell laidcorporate plan. It isonlywhenthese objectivesare codifiedthatthe riskdiscussioncanbegin. Detailinghow the objectives will be metshouldforce adiscussionaboutrisk. Forexample,one manufacturingorganizationexplicitly includesthe identification,assessment,andtreatmentof riskaspart of its strategicplanning. Thishelpsto raise awareness,spurdiscussion,andbringconsensusabouthow the organizationwantstotreata particular objective threateningrisksothatcapital and resourcescanbe properlyallocatedduringbudgeting. Digital Literacy The common threadthroughthe successof an effective cyberriskmanagementframeworkisdigitalliteracy. Educationisa staple forunderstandingand addressingcyberrisk. Thisispredominatelyaresultof the rapid developmentanduse of technologyto make thingsmore efficient,effective,andfaster. Cybercriminalsare constantlylookingforwaystoexploitthisproliferationof software andtechnologyforcinginformation technologistsandconsumerstobe consciousof how theiractionsmaybe lendingthemselves tocyberrisks. We have already touchedon the needforinformationsecuritytointegrate andbecome astrongerpartner withthe business. Educatingandtrainingthe informationsecurityandtechnologyfunctiononbusiness processesenables amore fluiddiscussiononcyberexposuresandthe implicationsonbusinessprocesses. Plus,educatingthe businessonthe typesof cyberrisksmayhelpinthe identificationof events. Although there are feedscomingintothe organizationaboutexposures,butaswe’ve seen,thereare ancillarysignsof concernsuch as TDoS, segregationof dutiesforcustomerverification,etc. Spottingthese signsanddeveloping appropriate andtimelyescalationprocedurescanresultinearlymitigationstrategieseitherstoppingor reducingthe likelihoodof financial,data,orreputationloss. Employeesaren’tthe onlyoneswhowouldbenefitfromtrainingandeducation. Customerswilltoo. The presshas done a goodjob of publicizing,forexample, topicslike identitytheft,butthere isanimplicit assumptionthatconsumers have thatorganizationsare well controlledandfinancial andpersonalinformation ishighlysecure. Organizationscanbe more proactive byeducatingtheircustomersonthe controlsnecessary to circumventcyberrisk. One commonexample of thisistwostepverificationwhere customersprovide two piecesof informationthatsecurestheiridentity. Thismayinclude requirementsforstrongpasswordsaswell as textmessagingof codesforfinal authentication. These controlsnotonlybenefitthe organization,butthe
  • 8. Page 8 of 12 customeras well. Itaddsextrastepsinthe control structure andcustomersneedanunderstandingtowhy there isa heightenedlevel of control necessary. Thisisfrequentlymissing. Educationalsoextendstoescalation. Customers,aswell asthe business,needaclearchannel andmeansfor communicatingconcernsaboutcyberthreats. Whatare the protocolsif a potential cyberriskisidentified? Giventhe pervasivenessof cyber risk,itwouldn’tmake sense towaitforthe riskmanagementgroupto performitsriskand control assessmentprocess. The riskmayhave occurred and damage inflictedbythat time. Witha nimble riskmanagementprocess,the businesscanengage risktoevaluate cyberexposuresin real time. A GRC solution canassistthroughthe monitoringof metricsandtolerance levels. Questionsand actionscan be self-generatedthroughthe solutiontoevaluatethe needandspecificityrequiredtoaddressthe risk. Customersalsoneedameansof communicatingpossible eventssuchasphishing. Creatingamediumfor customerstocontact the organizationaboutconcernsshouldbe made simpleandeasytodo. Once informationisshared,the organizationneedsameanstofeedthe data back intothe GRC and information securitysystemsinordertoproperlyevaluate and,if appropriate,take actionagainst it. RegulatoryAttestations Complyingwithlawsandregulationshastakencenterstage inthe riskmanagementspace inrecentyears. The expectationsfromregulatorshasgrowntobe able toarticulate thatorganizationsare incontrol,that risk managementpracticesare inplace,andare sustainable. The volume of legislation seemstohave twofocuses, one on cybereffects(suchasdata protection) andthe otheron cyber itself. For example,the CybersecurityActof 2015 in the US promotesand encouragesthe private sectorandthe governmenttorapidlyandresponsiblyexchange cyberthreatinformation.12 Companiesthoughstrugglewith the bestintentionsof the governmentandthisbill. Internal generalcounselquestionthe processandits outcomes: “what’sgoingto happenwiththe informationonce it’sbeenshared?” Whatif it leaks?” “What if we are accusedof lyingtosomeone?”“Whatwill ourBoardthinkof our situation?” These are all goodand appropriate questionstoask. A cybereventintensifiesthese questionswhenitaffectscustomers. The widespreadadoptionof social medianecessitates organizationsriskmanagementpracticesbe highlynimble and flexibletorespondtoconcerns,questions,andcomplaints. Conversely,the compulsoryside ismore pressing. There are a litanyof regulationsthatfocusonthe integrity of informationsystemsandthe protectionof companyassets. Cyberriskisatthe crux of the actionsnecessary to demonstrate compliance. Forexample,regulationSystems,Compliance,andIntegrity(SCI) statesthat affectedentitiesmustestablish,maintain,andenforce writtenpoliciesandproceduresreasonablydesignedto ensure thattheirsystemshave levelsof capacity,integrity,resiliency,availability,andsecurityadequate to maintaintheiroperationalcapabilities.13 Similarly,the PCIDSS(PaymentCardIndustryDataSecurityStandard) isa setof requirementsdesignedtoensure thatall companiesthatprocess,store,ortransmitcreditcard informationmaintainasecure environment.14 Cyber-attackscanbe at the centerof disruptingorganizational objectivesof meetingthese aforementionedregulatoryexamplesandmanyothers. 12 P.L. 114-113; Division N,H.R. 2029, 114th Congress (2015-2015),www.congress.gov/bill/114th-congress/house- bill/2029/text 13 www.sec.gov/spotlight/regulation-sci.shtml 14 www.pcicomplianceguide.org/pci-faqs-2
  • 9. Page 9 of 12 So howcan an organizationdemonstrate compliance? Regulatorswanttohave confidence thatthe risk managementprogramisinplace,understoodbythe organization,andshowsevidence of use,andis somethingthatissustainable. A GRC technology solution iscritical tothissuccess. Firstandforemost,the GRC technology canprovide alinkintoandhelpto disseminate the company’spoliciesandprocedures. For example,if anewcyberlaw or regulationwere tocome intoeffect,the GRCsolutioncanhelptoidentifywhich policiesandprocedureswouldbe effectedandprovide the workflow toupdate anddisseminatethem tothe organization. The technologycanprovide acentral source forthe riskmanagementmethodologyand supportingdata. It helpstoprovide the evidence thatthe governance modelisworkingand critical facetsof organizational expectationsare available anduptodate. EnablingTechnology The GRC solutionalsoactsas a foundationforthe riskmanagementprocess. Eachpart can be supportedby the solution,offeringthe enablingtoolstoexecute the process,store andevaluate the data,andreporton it. Thisnot onlyappliestothe riskmanagementprocessitself,butprovidesthe linkage tothe underlyingbusiness processesaswell bycorrelatingthe riskandcontrol data to the value chain. Thishelpstooperationalize the riskmanagementprocessmake itrelevanttothe business. The GRC’s workflowprovidesa systematicandrepeatablewaytoexecute the riskmanagementprocess. So, for riskslike cyber,itprovidesclear,andrepeatable, stepstoidentify,assess,evaluate,manage,monitor,and to reporton the risk. Moreover,as we’ve alreadydiscussed,the processcanbe made dynamicand malleable to respondat the speedatwhichcyberriskoccurs. The technologyalsoactsas a central repositoryforriskdata. This makesitpossible tomine the riskdataat any givenpointintime. Thisis powerful asitprovidesawealthof riskdatato understandthe risk,itspast,and to provide the basistoextrapolate potentialexposures. Additionally,the audittrail of riskdatasetsthe basis for changesinthe riskprofile. Usinglegacyriskdatacan demonstrate how prioractions(orinactions) totreat a risk have actuallybenefited(ordetractedfrom) the organization. Capital expendituresandresource allocationscanbe evaluatedonwhethertheymettheirobjectives. Thisputsclearaccountabilityonthe first and secondline tocollectivelyassure thatrisksare withintolerance. Metrics can alsobe createdand monitoredinreal time throughthe GRCsolution. The establishmentof Key RiskIndicators(KRIs),asan example,canbe usedto monitorwhetherriskeventsare approachingorhave breachedtolerance levels. Thiscanindicate the needforevaluationandanalysisof whethertotake actionand improve the control environment. KRIscanbe monitoredthroughcreatingbespoke dashboardsandreporting. Figure 2: Illustrative CISODashboard
  • 10. Page 10 of 12 A highlyconfigurable GRCsolutionis especiallyuseful inthe managementof riskslike cyberdue tothe frequencyof theiroccurrence andthe flexibilityneeded to evaluate the exposures. GRCsolutions that require ahighdegree of codingaren’t able to provide the nimblenessof identifying,assessing,and respondingto these risksina timelyfashion. Additionally, configurabilityassistswithunderstanding the riskprofile. Creatingdashboards(see Figure 2) that are unique tothe user’s responsibilitiesprovidessnapshotsof the riskenvironmentinreal time. Thisenables the quickidentificationof issuesandareas of concernresultinginpromptresponses, mitigatingunwantedexposures. Cyber’slinkwithprocessesandpeople makesitnecessarytobe includedaspartof the operational riskprofile. Audit,initsindependentthirdline responsibilities,alsoneedstohave aclearunderstandingof how cyberis managedand controlledthroughoutthe firstand secondline. Thus,althoughthere isbenefitfromhavinga unique informationsecuritysolutiontomanage cyberrisk,the processes,findings,anddatashouldlinkacross otherGRC solutionswithinthe organization. It’sonlythenthatthere isclarityandclear linkagesonwhatthe organization’sriskprofile lookslike–there isn’tdisparityindataor outcomeswheninformationispresented intothe risk committee,auditcommittee,andthe Board. Reporting Reportingrequiresthe organizationtobe able todisaggregate ariskto itsparts. Thisis particularlytrue when reportingtoexecutives,riskandauditcommittees,andthe Boardbecause riskisusuallyaprettybroad topic on the agendaof these discussions;e.g.,operational risk,creditrisk, etc. Obviously,the organization’s industryandbusinessmodeldictatesthe lengthof risktopicdiscussions. Forfinancial services,it’stypically creditrisk;for technologycompanies,it’s information;formanufacturers,it’soperations. Regardless,riskstendtobe definedinlarge tranchesinordertoseparate the discussionandthe conclusions fromanalyses – for example,cyberriskis generally categorizedunder“systems”riskwithinoperational risk (e.g.,usingthe Basel definitionthatdefinesoperational riskasthe riskof lossfrominadequate orfailed internal processes,people,systems,orfromexternal events). However,aswe’ve seen,cyber canalsoextend to otheroperational riskcategoriesincludingthe actions(orinactions)of people,failedinternalprocesses,or fromexternal events(suchasvendoror3rd partydependencies). Asa result,it’simportanttoarticulate and provide apithyexplanationof howcyberisinterrelatedwithotherrisksinordertoprovide atrue reflecti onof the actual severity. Thisrequiresmakingsome judgmentcallsonthe diversificationeffectsof these risksand the benefitsof commoncontrolsandtheiraffectsat reducingseverity. Reportsshould alsohave a balance betweenrisk metrics, data,analysisandinterpretation,andqualitative interpretations.The balance of qualitativeversusquantitative informationwill vary. More detail andfirmer metricswill be bornthroughlowerdefinitionsof the risk. Forexample,breachesoveraperiod of time can be easilycodified,buttheiroverall effectswill requiresome judgmenttodetermine the overall impact.
  • 11. Page 11 of 12 As a result,expertjudgmentmaybe needtobe usedtoaid the aggregationprocess aswell as interpreting results. Expertjudgmentcancome from multiplesources. The term“expert”canalsobe looselyapplied. Organizationswithmature riskmanagementpracticeshave beenknowntoquerynotonlyindividualswithin the organization,butalsocustomers,vendors,external audit,andcustomersto helpinformconclusionsona risk’simpact. It’simportantto note that judgmentshouldreplace data,butshouldcomplementit. Risk functionsneedtoensure thatwhenexpertjudgmentisapplied,the processbe clearlydocumentedand transparentto bringclarityandconsistencytothe process. Besidesprovidingaperspective of the past,reportsshouldalsotryandbe predictive. Organizationsneedto developforwardlookingassertions. Thisincludesrisktopicsandmeasuresthatmaysignal earlywarningsof any potential breachesof risklimitsthatmayexceedthe bank’srisktolerance/appetite.These subjectsshould bothbe withinthe organization’sexperience aswell asthose ithasn’texperienced. Lessonsfromother industries,competitors,orfromdifferentgeographiesandmarketscanbe powerful learningtools. Scenariodevelopmentisatechnique thatmaybe usedto extrapolate arisk’s effectonthe organization. Scenariosare usedto try and predicthowcertainfuture riskeventsmayimpactthe organizationincluding evaluatingthe existingmanagementandcontrol environmentaswell asevaluatingcapital expendituresto increase (ordecrease) the company’sassets. These scenariosare increasinglychallengingtodevelopwithin the contextof cyber. Involvinginformationtechnology istantamounttodevelopingarobustscenariobecause of the breadthof informationtechnologybothwithinandoutside the company. Reportingshouldalsoprovideresultsandconclusionson stresstestingwhich providessupportto forward- lookingexposures. Stresstestingappliestobothexistingandfuture riskstakingintoaccountassumptionson the risk’svariables. Examplesinclude breachesinsystems, increasesinvolume,basispointjumpsininterest rates,shrinkingorgrowingcustomerbase,ortemporaryor permanent lossof asignificantsupplier. The variabilityof the risk’sseverityshouldbe atopicfordiscussiontodetermine the efficacyof the stresstestand whetheradditional actionorcontrol maybe necessary. The culmination of thisinformationcanbe overwhelmingasevidence forthe conclusionstypicallyresultsina binderfull of data. ExecutivesandBoardsalike expectasynopsisonthe organization’stop3– 5 risks, includingimpactsonthe businessandprofitability. Actionstotreatthe exposure needtobe clearwith accountable ownersanddemonstrable benefits. Findingsandconclusions onsignificantrisks,suchascyber, shouldinclude specifictime onthe agendafromthe individual mostknowledgeable onthe subject,like the CISO. Onlythencan credibilitybe lenttothe specificityprovidedto answerany detailedqueries. The importance of havinga managementinformationsystem(MIS) thatisgearedto riskdata and managementmakesreportinglesstaxing. A challenge manyorganizationsface isidentifyingsourcesof risk data across the organization. Datanot onlycomesfromsystemsandapplications(suchasSAP,PeopleSoft, MicrosoftExcel,Access,andWord, SharePoint,etc.),butfromdisparate conversations fromcommittees, regulatorconversations,andaudit. External datafeeds (e.g.,fromthirdparties,social media,newsfeeds,etc.) alsoneed to be accountedfor. As we’ve discussed,cyberthreats canbe monitoredthroughvendorsolutions and providedto the organization. Otheritemssuchasregulatorychangescanalsobe identifiedthrough external feedsaswell. A GRCsolutionthatisgearedto handlingthe datafromthese mediumsmakesreport productionsimpler,especiallyone thatcanbe configured tothe organization’sriskmanagementmethodology, taxonomy,andprocess. Producingperiodicexecutive andboardreportisan importantpart of the process, but italsoneedstobe nimble. Cyberrisksoccurwithgreatfrequency,sohavingatool that assistsinthe evaluationof ariskscriticalityassuresthatharmful eventsare actionedsoonerratherthanlater.
  • 12. Page 12 of 12 The businessandriskfunctionsare challengedwithcentralizing,automating,andmakingsense withthe aggregatedviewof the structuredand unstructureddatathat isproducedby the organization’ssystems. Leadingorganizationshave adoptedtheirGRCtoolstoautomaticallyaggregate thisdataandput itin botha riskand businesscontext. Limitedresources,increasedcompetition,andgoals tocreate turnoverhave putthe impetusonhavinga technologysolutionthatcanproduce dashboardsandreportsinreal time that enable the businesstounderstandarisk’seffectsonoperations,itspeople,systems,andcustomers. Thisassistsbusiness managementtomake informeddecisionstopreventunwantedthreats,butallow forthe capture of opportunities. In an environmentwhere technologyisdiffusingthe riskmanagementpracticesof the organization,havinga fluidriskmanagementprocesssupportedbyastrongGRC technologysolutioniscritical. Risks,suchascyber, are everevolvingandmore pervasivethanever. The abilityforthe organizationtoidentifycyberriskinreal time,evaluate itscriticality,andtotake timelyactionwillgoa longwayto assure that unwantedexposuresare dealtwitha timelymanner. Thiswill notonlyprovide confidence toexecutivesandthe Board,but demonstrate tostakeholders,suchasregulators,thatthere isa robustprocessinplace;one that is responsive, incompliance,andissustainable. GRCtechnologyenablesthisprocessbyintegratingintothe organization’s governance model,actingasa central repositoryforstoringandminingriskdata,andlinkingtothirdparty data sourcesto provide users withaneasywayto see andunderstandthe riskand control environment. This powerful enablerprovidesconfidence thatcyberexposuresare quicklyidentified,actedupon,andmitigated before manifestingthemselvesintofinancial andreputational losses. Abouttheauthor:Ladd Muzzy is a principal at Nasdaq BWise.He hasover twentyyears’ experiencein developing,implementing,and coordinating riskmanagementprograms.He hasheld seniorcorporate(Bankof Montreal,Barclays,CapitalOne) and consulting leadership risk managementpositions.Many of hisexperiencesinvolveevaluating an organization’sriskmanagementphilosophiesand currentpracticesto movethem to leading practice. Ladd can bereached at Ladd.Muzzy@nasdaq.com.To read morefrom Ladd Muzzy and ourotherGRC experts,follow uson LinkedIn: https://www.linkedin.com/company/bwise AboutNasdaq BWise:Nasdaq BWiseis a globalleader in Enterprise Governance,RiskManagementand Compliance(GRC) software.Based on a strong heritagein businessprocessmanagement,theBWise® GRC Platformprovidescompanieswithhighly-rated,proven softwaresolutionsforRiskManagement,Internal Control,InternalAudit,Compliance&Policy Management,Information Security and Sustainability Performance Management. BWise’s end-to-end solutionssupportan organization’sability to understand,track,measure,and managekey organizationalrisks.Nasdaq BWisehelpscompaniestruly bein controlby balancing performancewiththeir financialand reputationalrisks,improving corporateaccountability,increasing financial,strategicand operating efficiencies.Using BWise, organizationsareableto efficiently comply with anti-corruption regulationslike FCPA and the UKBribery Act,the Sarbanes-Oxley Act,European CorporateGovernanceCodes, ISAE3402/SAS-70, PCI-DSS,Solvency II,BaselIIand III,Dodd-Frank,ISO-standards,and many more. Nasdaq BWisehassales, service and supportofficesaround theglobeprovidefortheGRC needsof hundredsof leading companiesworldwide.Formoreinformation,visit www.bwise.com.