RSA, The Security Division of EMC, has announced a new framework designed for companies to inventory and prioritise cyber risks. Issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, the framework gives organisations a new way not only to factor cyber risk into their overall risk appetite but to define the level of cyber risk they are willing to accept in the context of their overall business strategy.
As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber risks. Since organisations can’t turn the clock back on globalisation, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their thinking about risk.
The report, entitled “Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise,” concludes that organisations need a systematic process for defining and comprehensively categorising sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite.
First, organisations need to redefine the term “cyber risk”, The term extends beyond hacks – planned attacks on information systems. While hacks are an important part of the equation, cyber risk encompasses a wider range of events that lead to potential of loss or harm related to technical infrastructure of the use of technology within an organisation.
The paper provides a practical framework for inventorying and categorising cyber risks across two dimensions of intent.
Cyber risk events could be the result of deliberately malicious attacks, such as a hacker carrying out an attack with the aim of compromising sensitive information. They could also be unintentional, such as user error that makes a system temporarily unavailable.
Risk events may come from sources outside the organization, such as cybercriminals or supply chain partners, or sources inside the organisation such as employees or contractors.
To effectively assess their cyber risk appetite, the report recommends that organisations take a comprehensive inventory of these cyber risks, quantify their potential impact and prioritise them.
Organisations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public. They need to prioritise the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals) and external public facing points of interaction.
Prioritisation needs to be an ongoing process involving constant evaluation and re-evaluation.
The report concludes that an organisation’s ability to quantify cyber risk and make informed decisions about their cyber risk appetite will put them in a position to succeed.
Some costs can be easily quantified: costs that include fines, legal fees, lost productivity and mitigation remediation and incident response. Other costs can be more difficult to determine – like diminished brand equity, reduced goodwill and the loss of intellectual property.
Organisations need to develop the ability to demonstrate that the investments they are making align with the risks they face.
Emily Mossburg, partner at Deloitte & Touche LLP and Deloitte Advisory cyber risk services resilient practice leader, comments: “The very fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk.
“Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver, and then make more informed decisions.”
David Walter, GM: global GRC at RSA, adds: “Cyber risk is a critical issue in today’s organisations, touching aspects of business risk, regulation and technology.
“To effectively deal with these risks, executive decision-makers need to understand their organisations’ cyber risk appetites’ – balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions.”