Risk Management in the Cyber Age

Cyber Attacks on the Rise

Challenge

The threat of cyber attacks have grown so rapidly that even the general public is familiar with terms like: cyber-crime, cyber weapons, cyber espionage, cyber warfare and hactivism.

Recent reports have  found that the net loss due to cyber-crime now outweighs the global narcotics trade!  “Today, cyber-crime costs more than $1.0 trillion to society, with billions of dollars being stolen from small, medium and large-sized enterprises, identity of millions of individuals compromised, and several governments across the world have already been targets of cyber-warfare.” [“Cyber Security: A Global Strategic Business Report” by Global Industry Analysts, Inc., 2011]

This exponential growth of cyber threats on IT and critical infrastructure have made organizations more vulnerable than ever.  In today’s  complex IT environment with growing cyber threats, corporate executives are struggling to protect their organizations and mitigate their security risk.

 

Multiple Point Solutions Generate ‘Cyber Big Data’

 

In order to improve their IT and cyber risk management and to achieve compliance, organizations invest in multiple point security solutions, and automated security tools which generate huge amounts of technical findings.

Companies also run expensive and labor-intensive reviews and audits which, in turn, generate even more non-correlated  findings and reports.

Yet despite an increased investment in cyber security, companies find it nearly impossible to consolidate and analyze these massive amounts of data.  In consequence, they lack a complete and easy-to-understand picture of their cyber and IT risks.

“A strong security posture moderates the cost of cyber attacks.” [Ponemon Second Annual Cost of Cyber Crime Study, August 2011] Because risk management investments are spent inefficiently, and lacking a clear security posture, an organization’s critical business activities may be left exposed to cyber attacks.

 

The Traditional Compliance Approach to Cyber Threats Is Not Enough

In order to cope with the cyber challenge, regulators enforce an ever growing set of regulations and standards.

Yes, compliance is an important milestone to help reduce cyber incidents, despite the burden of complying with an  increasing set of  regulations and standards.  Yet even companies who are fully compliant are not immune to the damage of cyber attacks. Recently published cyber incidents at organizations that comply with the most stringent security standards (as certified by the best auditors) demonstrate that compliance on its own does not effectively prevent cyber attacks.

A company can suffer a substantial loss in financial stability and reputation as a result of just one serious cyber incident. The traditional compliance approach does not suffice.

In order to be effective, compliance must be combined with a comprehensive risk-oriented approach and framework. There are no shortcuts. Proactive IT and security  risk management is the best overall strategy for protection from cyber attacks.

 

Business-Driven Cyber Risk Management

“Not-Knowing’ is the greatest risk of all.

In order to better protect their business, executives and management need an all-inclusive picture of their aggregated risk, based on an accurate analysis of the threats, vulnerabilities and detailed findings from multiple sources – yet presented in clear and simple business terms.

Most decision-makers do not understand technical jargon. They need to be able to easily understand how cyber risk can affect their most critical business processes, using business metrics.

Only by understanding the businesss implications of risk, can they prioritize effectively on spending, and oversee a proactive and effective mitigation plan that is prioritized according to the real business needs.

Business-driven cyber security management is crucial for an organization’s good health and its ability to protect itself from cyber attacks.  Cyber risk management is both the foundation, and the glue that holds together an effective cyber security program.