Risk Management and Cybersecurity
Written by Rabih Soueidi, Managing Partner of Sapience Consultancy
Organizations are challenged to find a proper balance between alleviating risk and allocating an adequate investment on risk management. It is always better if managers and IT professionals identify threats before they occur and try to entirely avoid them. Nevertheless, in case of occurrence, managers have to be proactive in controlling risks before they become serious problems.
Establishing measures in minimizing the impact of threats if they occur helps in preventing their reoccurrence. But trying to avoid or manage all threats at the same time is a costly and difficult task. Therefore, the risk management teams need to address risks that lead to high exposure or in other words high expected the business loss. According to Stoneburner et al. (2002), “the analysis of the threat to an IT system must include an analysis of the vulnerabilities associated with system environment.” For example, the vulnerability could be related to accessing company’s server from an unsecured network; the potential threat could be having unauthorized users accessing the network (e.g., hackers), which in turn may cost a catastrophic loss of organization’s valuable data.
Risk management teams have to focus on important assets and assign likelihood (probabilities) of occurrence of a specific threat and check the magnitude of its impact (high, medium, low). A risk-level matrix (contingency table) with likelihoods in the rows and impact in the columns helps in understanding the degree or level of risk to which an asset might be exposed when vulnerability happens.
The level of investment on controls and measures deployed to avoid or mitigate the impact on business varies with the type of organizations, for example, a bank might spend a lot more on policies and security related to data breaches than a digital media agency. It is important to define the risk acceptance levels for each organization and check the funds available and calculate the IRR (Internal Rate of Return) that management expects on remediation project (Kouns, J. and Minoli, D., 2010, pp. 262). This will help managers to decide whether to avoid, lessen, transfer or ignore risk entirely.
Managers need to undertake a proper cost-benefit exercise taking into consideration the quantitative and qualitative aspects. They have to answers questions like what is the risk ROI. If a given risk occurs, the impact on the business will be a combination of the cost of exposure plus lost revenue while the asset is not available (Dalton, 2017). But only looking at the monetary value is not enough. Let’s say that a risk has a consequence of $100,000 in the business loss, and it will cost $60,000 to bring down the business loss to $50,000; a manager might conclude that it doesn’t make sense to spend $60,000 to save $50,000. But managers need to also look at other qualitative consequences like company’s reputation. They should consider all critical factors and measure the outcomes against all costs then decide all cost-benefits.
As we have become personally, economically and politically depending on the cyberspace, we have become more targets of cyber threats that include thefts, cybercrimes, and espionage. Cybersecurity is a global issue that is not limited to geographic boundaries, it concerns all industries and threatens governments, public sectors, private sectors and individuals. It is concerned with both cyber-attacks that are malicious or non-malicious acts that are the results of human error; they could be planned or accidental. Cyber-attacks are increasing in number and frequency. Attackers come in different forms and have various motives. Whether a hacker in his basement copying and pasting a code and using it for virus, or malicious insiders who seek to steal data or damage organizations’ IT infrastructure, or hacktivists that are driven by a political or social cause, or more organized groups that are involved in warfare (Batke, 2011), they are all difficult to identify and apprehend.
Cyber-security within an organization is about maintaining the CIA triad: confidentiality, integrity, and availability. The priority of these terms varies, and there is a difference between information technology (IT) and operation technology (OP). For example, in industries like banks and insurance companies, IT people are more concerned about protecting customer information. Therefore, confidentiality is the top priority. Whereas areas where operations cannot be disrupted, availability is a priority. Good solutions that are available on IT side might not work on the OP side. For example, firewalls might work very well on IT security but may cause problems and delays on OP that is not needed.
Cybersecurity is not only a technology problem, but it is also a business problem (Campbell, 2017). CEOs and board directors question about the impact on customer relationship, company image, and reputation. If systems, networks, and devices are vulnerable, the services and operations of the business and even customers are at risk. A cyber security plan has to take into consideration all aspects of the business and focus on the high-value assets and how they should be protected. It is a blend of efforts, and its responsibility and accountability lie with stakeholders that involve the whole business.
There is guidance from organizations such as National Institute of Standards (NIST), North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC) (Lebanidze, 2011). An organization can follow certain guidelines that fit their environment and the way they operate. Security processes need to be integrated with organization technology to scale resources and automate management. So that organization will be able to remediate threats and attacks automatically and become more productive. Investing in threat intelligence is another aspect that organization can consider by utilizing their information and subscribe to third-party threat intelligence.
Dalton, C (2015) ‘A Guide To Monetizing Risks For Security Spending Decisions’, CSO, 6 April. Available at https://www.csoonline.com/article/2903740/metrics-budgets/a-guide-to-monetizing-risks-for-security-spending-decisions.html.
Evgeny Lebanidze (2011), Guide to Developing a Cyber Security and Risk Mitigation Plan. Available at https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf.
Gary Stoneburner, Alice Goguen, and Alexis Feringa (2002) ‘Risk Management Guide for
Information Technology Systems – Recommendations of the National Institute of Standards and Technology’, National Institute of Standard and Technology.
Kelly Batke (2011) ‘7 Types of Cyber Crimes and Criminals’, Faronics Blog, 21 December. Available at http://www.telegraph.co.uk/news/2017/04/04/six-types-cybercriminals-identified-bae/.
Kouns, J. and Minoli, D. (2010), Information Technology Risk Management in Enterprise Environments. 1st ed. Hobaken, N.J.: Wiley.
Neil Campbell (2017) ‘Cyber Security Is A Business Risk, Not Just An IT Problem’, Forbes, 11 October. Available at https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-risk-not-just-an-it-problem/#ed09d9278324.