Enterprise Cyber Risk Management: In this article we want to share with you the secrets to being able to assess whether the enterprise cyber risk management in your organization is being managed effectively using a simple set of questions. These are questions that will work even if you are not working in the security function – and we think average workers being able to understand if a cyber risk is managed is important.
Why? Because if the enterprise you are working for is not on top of its cyber risks, then unless you are very close to retirement, you might want to start looking for someplace else to work.
Think about it: How many companies have now gone out of business or had to downsize because they could not keep the technologies they use secure? Where do you think that trend is headed, up or down?
What got us thinking about this was new research on enterprise cyber risk management from ISACA, CMMI Institute that showed us the heartening news that cyber risk appears to be the number one priority for most enterprises. Yes!
But (you knew the but was coming), when it comes to cybersecurity risk, there is no better analogy for how too many organizations continue to manage the task than this.
Early on in the Owen Wilson/Ben Stiller remake of Starsky & Hutch, they find a dead body washed up on the side of the river. Hutch says that this kind of problem is next to impossible to solve and adds, “All right, let’s say we push it out and hope the current pushes it down to the next precinct.”
One of the innate problems with enterprise cyber risk management is that second word – management. Just as it infers, the objective of enterprise cyber risk management is not necessary to fix the problem, the objective is to find the most efficient way to manage it.
How Do Enterprise Cyber Risks Get Managed?
If a risk makes it into a formal risk-handling process, it will usually be managed through one or more of the following tactics:
- Preventing the risk from impacting.
- Reducing the potential impact.
- Having a contingency plan.
- Transferring the risk either to someone else (for example, getting an insurance) or forward in time. Just letting the risk impact hit and accepting the consequences and costs.
In our many years of auditing security at organizations, pushing the risk down the precinct had been rarely a conscious act of the enterprise cyber risk management department. What we found on many occasions was, instead, several people that intentionally chose to keep the risk information buried away from the risk register: “It’s too big a risk to put on the risk register…” is something we have actually heard… more than once.
Is it surprising that many cyber risks get buried? After all, if you present an overwhelming wall of risks to any right-minded senior executive without the confidence and clarity to know how to manage those risks, they will probably look for a replacement risk manager (not necessarily one that can manage the risks, but at least one who can push it down the precinct).
Knowing a risk exists is just a step on the path to enterprise cyber risk management. Understanding how to cope and mitigate it is the real key to success.
Does Your Enterprise Cyber Risk Management Really Good Enough?
We do not know if your specific organization is managing cyber risk well, but it is easy for you to work out. Here are some the most useful questions to ask yourself that will help you make that determination.
- If you became aware of a huge potential risk to an important technology in your organization (a) do you know how to report it? And (b) would you expect the organization to deal with it effectively? (Or would the organization tries and bury or dismiss it?).
Effective enterprise cyber risk management requires establishing and sustaining a culture where risk information is greeted as valuable Intel. If your enterprise treats risk information like you just shot someone’s pet, the chances are almost 100 percent that it does not have the resources to manage cyber risk.
How Often Is Your Enterprise Hit With Unforeseen Cyber Risk Technology Outages?
This will be another easy way of working out if your enterprise is on the cyber ropes, being pummeled by opportunist hackers. The difficulty here is that each person thinks that his or her own experience of technologies is normal.
For example, if your email goes down every few hours for several weeks during peak work periods, you might think that is okay. Let’s just say that it is not. Apply the simple logic! Unexpected interruptions to business operations due to technical outages are one of the most regular symptoms that cyber risks are out of control.
Do You Know Of Any Technology Outages That Your Organization Has Chosen To Hide/Keep Secret?
Across the infosec community, there are many discussions about how organizations should choose to be more transparent about sharing threat intelligence. The problem is that this point is rarely countered because of an enormous elephant in the room; nobody wants to disclose a cyber-attack if the reason for success is that his or her organization is riddled with vulnerabilities.
After auditing many organizations and we can conclude you that the majority, even the very large ones with huge budgets, are riddled with vulnerabilities. You don’t have to take word for it, just take a look at the risk survey results and ask yourself this one final question: If enterprise cyber risk management really is such a huge priority and most organizations think they are doing quite well at it – just what is going wrong?