Cyber Security Risks

The Federation of European Risk Management (FERMA) and our Risk Leadership Initiative partner, Kristine Raffel, share a new report on Cyber Security Risks.  Check out the continuing discussion on this mission critical subject and read the full report.


FERMA authors address a critical subject for EU organizations facing new regulatory requirements on Cyber Security.  Broadly, the report provides a good artifact for any organization starting to address cyber risk governance.  Some of the content reflects existing and well accepted works such as the Organization for Cooperation and Economic Development (OCED) and Three Lines of Defense.  FERMA adds a detailed layout of roles related to a Cyber Risk governance model.

The article affirms this model could also benefit organizations beyond larger public organizations where these different functions may exist.   However, smaller or private organizations without the level of organizational structure maturity may need assistance in implementing the model.  FERMA provides broad exposure to basic frameworks that can assist organizational leaders entering this dialogue. 

Highlights and commentary:

Awareness 

We couldn’t agree more with the OECD awareness principles.  Basic security awareness programs driven solely from the security team are a thing of the past.  Any organization where cyber security is a concern, the security team should be performing ongoing phishing testing or they are/will fall behind in the industry.  Awareness programs must be driven and include participation from all levels of leadership and teams.  If the CEO is focusing on security, the message will resonate and be important to employees versus only hearing the importance from the security team or CISO.  

As an example, Augeo considers this “Security Engagement” rather than awareness and encourages organizations to make it part of their existing employee engagement program.  Employees may disengage if they are required to watch the same security training video each year.  Emphasis is given to ensure the content is continuous, relevant to the employee role or situation and fun to contribute.  Find a way for your employees to have a stake in the program through participation, rewards and positive reinforcement when they pay attention to security and participate in training.

Responsibility

The authors “main areas to be considered” around responsibility is spot on.  Defining process and system owners, obtaining visibility around data management and an organization’s capabilities for basic maintenance and incident management should be objectives of your cyber governance program 

Co-operation “It takes a village”

It is crucial to partner with groups outside of IT (e.g. HR, legal, Sales, Product), get them to participate all while being flexible and realizing that their priorities are not always the same as yours.  The quickest path to success is to ensure you have great relationships with non-technical counterparts in the organization.

Industry sharing associations (e.g. FS-ISAC) are a great way to put up a collective front and help each other out.  In cyber, we are on the same side even if we are competitors in business. 

 Additional thoughts:

Risk assessment is a crucial part of any program.  Keep in mind, “a risk is a risk”, whether that be an operational risk, compliance risk (e.g. Global Data Protection Regulation or GDPR) or a cyber-attack. They are all risks to the organization that can cause harm and don’t necessarily need to addressed with separate processes.

Assessing risk in terms of quantitative risk analysis in financial terms is very important.  However, in many organizations it is thought to be difficult to start or execute with any consistency.  How do you do it?  Where do you start?  Future dialogue on this subject could provide more attention to how organizations ensure cyber governance risk can assessed both by  quantitative methods using probabilities as well as expressed in financial terms.  Perhaps that is the next step!

 

Jeff Norem, Augeo, VP of Security and Risk Leadership Advisory Board Member

Dr. Patricia Connolly Stephan, Blanch Fellow and Risk Leadership Advisory Board Chair