Aligning Business Goals with Cyber Investments

Understanding Context

Risks do not operate in a vacuum, and the same situation may affect different organizations in different ways. For example, COVID19 related lockdowns disrupted work and business across sectors. But while some like tourism, hospitality, manufacturing and retail were devastated, others like ecommerce saw significant growth. Both situations necessitated unique risk and security considerations. Understanding the context, or the setting in which the business operates will help organizations better comprehend and assess the threats facing them and identify ways to mitigate them. In fact, context can take many forms. It can be directly business related in terms of whether business goals can be met or not. Or it can be in terms of time – whether the organization can meet targets according to the planned schedule. Context can also be technical and to do with the criticality and practicality of situations. And it can be related to location or even the risk itself. Consider the sectors and organizations affected by COVID19. Manufacturing companies not achieving their production targets. On the other hand, ecommerce companies may find it difficult to manage supply chains effectively to keep up with increased demand. Both sectors need effective strategies to navigate their unique contextual challenges.

An enterprise must begin by understanding itself, its goals, priorities, stakeholders and their priorities as well as the larger sector within which they operate. Risk mapping must be done against this backdrop to be comprehensive and effective. It must demonstrate the tangible steps that must be taken to protect an organization or a function from defined risks. It must also project the benefits of taking the security measures as well as the dangers of leaving loopholes open.

Linking Risks to Business Outcomes

Once the context is established, an organization must understand the risk landscape. Risks can be broadly categorized as compliance risks, accidents, threats to security, and environmental or economic factors that can impact the functioning of an organization. Each of these affect different processes and functions and may have limited consequences or far reaching impact. It is not enough to just identify possible threats. Risk and security management teams must establish the direct corelation between each threat and business outcomes. Managing security threats and risks is easier and more effective when strategies are integrated with the core business and correlated to the value it brings to the business.

This is especially important when one considers the fact that every measure to manage risks is an investment for the organization that must be sanctioned by various stakeholders. For example, investing in resilience and business continuity solutions for critical operations is a sound risk management strategy to minimize the impact of sudden disruptions. But the decision to invest in these solutions or not cannot be made merely on the basis of general recommendations. Organizations must understand how their operations will be affected in the event of an outage if they don’t have a resiliency and continuity solution in place. Impact on revenues, downtime, missed targets and customer relationships must be weighed against the cost of the recommended risk management solution. And this must form the basis for deciding to invest in a solution or not. Not all risks are made equal and one global compliance and management solution may not be very effective. Risks must be categorized as low impact, medium impact and critical, based on the effect they might have on an organization, and strategies for managing each risk must be decided basis this analysis.

Assessing the cost of risk management

When it comes to security, the impact of breaches is not confined just to loss of critical data. Every data breach has a direct and immediate impact on an organization’s profitability, share values, brand perception and reputation. Globally, the average cost of a data breach is $3.9 million and in 2019, cybercrime cost businesses over USD 2 trillion in 2019 alone. The impact on reputation, customer trust and even share value is immeasurable. At the same time, investments in security and data protection solutions are expensive and necessitate due consideration of the relationship between the investment made and the level of risk managed. Solutions that offer the best protection are also usually more expensive. When evaluating potential solutions for tightening controls, organizations must consider other factors such as customer satisfaction and trust, the bearing on share values, brand perception, and even the possibility of blocked business services. Risk quantification models such as Factor Analysis of Information Risk (FAIRTM) can help organizations translate data risks into financial risks. FAIR is an international standard quantitative model for information security and operational risk assessment. It helps to understand, analyze, and quantify risk into financial impact and is a comprehensive approach to risk management that takes into account the diverse and deep impact of security breaches and threats.

Today, security and risk management are no longer relegated to the respective departments. They hold pride of place in most boardroom discussions as organizations increasingly understand the implication of breaches and disruptions on their business. Organizations must put in place comprehensive data models that link objectives, business units, requirements, risks and personnel. This will make impact mapping and risk assessments more contextual and effective, both for the security professionals and the executive management.