As the world becomes more digital and data becomes more valuable, firms face a constant battle against potential cyber threats from adversaries, looking to exploit weakness in cyber defenses to steal information. At the same time, regulators are paying more attention to financial firms’ preparedness for cyber risks and holding them responsible for lapses in security.
As the speed and sophistication of the adversary continues to escalate, ‘defence in depth’ network security programs need to evolve to active defense strategies. Active defensive strategies must incorporate the results of independent assessments by a second line of defence, such as a risk management entity. Across sectors, the three lines of defense model is critical to maintaining adherence to industry standards.
In its simplest form, the three lines include:
- Who owns and manages the risks to the business as well as the controls necessary to mitigate these risks.
- Who monitors the risk types and controls to ensure they are bringing inherent risk to a residual risk level within tolerance for the organization’s appetite.
- Who acts as an independent assurance function to audit both the first and second line to ensure effectiveness of risk and control management.
Creating the Right Framework
With an intelligence-led mindset, an effective cyber risk management strategy can be built. Without a strategy, a common purpose across the three lines of defense is lost. The strategy, at a high level, should incorporate governance, which is centered around implementing a framework with policies and standards. The framework should be flexible to enable an organization to scale its assessment responsibilities depending on the appetite that is set at the top of the house for risk management. Key components of a framework may include:
- Establishing the scope of the program.
- Defining the risk appetite categories.
- Setting forth a target operating model that includes management processes for applying oversight.
- Defining the key assessment tools that will support evaluating how well a business is doing in applying effective controls to reduce inherent risks.
Establishing a Risk Appetite
In order to carry out effective governance of a cyber-risk management program, it is critical to establish a risk appetite. This sets the thresholds against which the organization will measure how well it is performing in managing its cyber risk. Depending on the type of business an organization engages in will dictate what the core technology and cyber risks are, versus the identification of key enterprise-level operational risks that have a technology and/or cyber risk component. By way of example, system availability and data security represent core technology and cyber risks. The application of controls to ensure confidentially, integrity, and availability of systems and data directly influence the reduction of inherent risk to an acceptable residual risk, in line with the organization’s appetite. In contrast, data quality, fraudulent activity, transaction processing, and legal/regulatory risks are fundamentally managed by other operational risk types, but under which technology and cyber events can result in failures. Taking the time to define core technology and cyber risks helps to prioritize areas of focus for a firm to invest its resources.
Defining an Operating Model
Once the core risk appetite categories are established, an operating model can be defined to capture the management processes that will enable a credible challenge of the way an organization manages its risk within its established appetite. There is no one-size-fits-all model in order to allow for the flexibility needed by risk management teams to build according to their resources and scope of their program. In some organizations a risk management component may be made up of several teams, each assigned to review a particular line of business; however in other organizations, risk management may just be a handful of professionals because the nature of the business has a singular focus. Regardless of the size of the risk management function, when it comes to performing cyber-risk identification, a dynamic approach is required. For example, incorporating the viewpoints of risk assessors, emerging technology analysis, and business product manager insights may result in identification of risk in deploying a new product across an organization’s enterprise instead of confining it for a specific application. This enables incorporation of necessary controls before product deployment to ensure systemic risk is appropriately managed.
Assessing and Measuring
Processes for assessing and measuring identified risks should be clearly defined to ensure there is a repeatable methodology with documented evidence to support findings. At a minimum, an organization needs to develop the capability to challenge how its business lines have assessed the risks to its crown jewel assets and the application of controls to reduce those risks. One way to achieve this is through conducting scenario analyses of possible cyber events that could impact internal operations. As resourcing allows, organizations can also benefit from conducting lessons learned for both internal as well as external events. Internal events could be near miss incidents where a business was almost impacted, such as a corporate treasurer receiving a fraudulent instruction to wire millions but did not do so because they detected an error in the instruction. Equally important is conducting lessons learned from events that happen to other firms.
For example, an energy provider lost their ability to power part of a city due to their systems being under a ransomware attack wherein a cyber-actor encrypts the system and demands a ransom to unlock it. Understanding how the energy company was able to roll onto backup servers to work around the affected system, as well as communicate reasons for the power failure and how incident responses were then conducted, can help other companies be better prepared.
Managing, Monitoring, and Reporting
Having set tolerance levels for risk in the firm’s appetite as well as identifying and assessing the cyber risks to critical assets or business processes, organizations should then prepare to manage, monitor, and report on those risks. Establishing a strong governance framework that incorporates policies and standards to guide how the organization manages its technology in alignment with its appetite will set a solid foundation. In order to then monitor how well the policies and standards are being adhered to, a system to review outstanding issues is critical. Understanding the risk acceptances a firm has decided to take and the plans for remediating the accepted risks over a defined period of time holds the business lines accountable for resolving risk that could ultimately introduce catastrophic damage. In monitoring for risk, forward-looking indicators are critical. Indicators are a key tool for understanding if a business is performing within the thresholds defined in a risk appetite statement.
Every organization has dozens of metrics to draw from for measuring performance; however when it comes to measuring risk performance, organizations may find the metrics they track are not actually measuring what matters. Although a bold move, it may be necessary to stop measuring current activity and reassess what measures can capture performance that demonstrate a firm is within its risk appetite. It is essential that results of monitoring are documented in a repeatable report so all key stakeholders understand the areas of vulnerability that must be prioritized and addressed. Reporting is also not a one size fits all format as different audiences need to see different slices of the data in order to understand what actions they can take to close gaps and mitigate risks. For example, a business may be measuring and reporting on the risk of engaging with third parties around the protection of confidential data; however to be compliant with the firm’s low-tolerance level for data breaches as stated in its risk appetite, indicators of data security may need to be customized for fourth-party relationships vendor providers frequently engage.
Driving for change and progress is challenging in any ordinary environment. In today’s cyber environment, with the constant flow of emerging issues, being successful over time is even more complex. Many organizations view cyber as one of their leading risks — often because the drivers and threats are unpredictable and the impacts are challenging to quantify. The focus on this risk often leads to constant asks from senior leadership, clients, and Boards about cyber-related issues plaguing the industry and other fields. This level of interest will not wane — it may dissipate as other issues crop up, but confusion and concern will persist.
Organizations and their leadership can take this interest and leverage it for good by promoting awareness, investing in sound risk management practices, and positioning their cyber function as a differentiator in marketing products or services; however the most challenging effort will be for organizations to contribute to the common good by creating partnerships through shared resourcing efforts in order to share knowledge on cyber threats and risks threatening an industry.
This is article is an excerpt from Managing Cyber Risk with Human Intelligence, a report from Citi GPS.