With the increasing adoption of digital technologies, data security risks are a growing concern. Learn the key strategies to include cybersecurity as part of an overall enterprise risk management plan.Download an Insight
As enterprises go digital, cyberattacks and their financial implications continue to hobble organizations. According to a report by PwC, the average total financial cost of cyber incidents in 2018 was £857,000. Cyberattacks today often have the power to disrupt critical business operations, lower the performance of an organization, and adversely impact brand reputation. Under these circumstances, CxOs and boards are under constant pressure to better understand and manage cybersecurity risks.
The increase in the number of cyberattacks in recent times demands the inclusion of cybersecurity in the overall enterprise risk management plan. Such a plan will enable enterprises to involve relevant stakeholders and business lines in strategic decisions, and help the enterprises respond faster to rapidly evolving cyberattacks. The plan will also ensure that enterprises incorporate cybersecurity policies and practices in the foundation of their overall enterprise risk management strategy.
But how do you incorporate cybersecurity strategies as part of an overall enterprise risk management plan and stay secure?
1. Involve boards and leadership teams
A major challenge in including cybersecurity protocols as part of an enterprise risk management is getting the boards and the leadership teams involved in the formulation of a cybersecurity response plan. This lack of involvement can be due to the false perception that a cybersecurity threat is an IT-related risk rather than a business risk. Such a perception can be changed by measuring the potential impact on the revenue of an organization from the reputational loss that follows a cyberattack.
In a recent survey by MetricStream, more than 60% of respondents indicated that their CEOs or boards are either engaged or very engaged in managing GDPR compliance. A strong tone at the top enables enterprises to build trust and confidence around their data protection programs, and foster a culture of security
2. Maintain a common taxonomy
Maintaining a common taxonomy within an enterprise is key as fragmentation in taxonomies is likely to hinder the process of understanding and responding to an incident. Having a common taxonomy also eases the understanding of multi-country and multi-sector cyberattacks, and improves the effectiveness of an enterprise’s cybersecurity incident response strategy.
One of the main advantages of enterprise risk management is the ability to compare risk across various departments. This is not possible unless all the stakeholders implement the same metrics to measure risk. Developing consistent and common descriptions of probability and impact will enable all relevant stakeholders to be on the same page.
3. Build a risk-resilient strategy
Enterprises are often focused on operational and compliance risks and fail to formulate a strong business resilience strategy. With cyber threats growing more sophisticated, enterprises need to have a robust business continuity and resilience strategy in place as part of the overall enterprise risk management plan. The first step in that direction is to apply a risk-based approach to the data that is stored across the systems in an enterprise, and then determine how they can be affected by a major disruption such as a cyberattack. Accordingly, a business continuity plan (BCP) with a focus on cybersecurity needs to be developed with defined roles and responsibilities along with the key steps for communication and coordination.
4. Formulate an actionable risk intelligence plan
With information scattered across IT landscapes, enterprises often rely on the manual reconciliation of data from various systems, users, and reports. Today, there is a growing demand for applications that combine data from various parts of the business, as well as tools that convert this data into formats such as data visualizations, charts, and reports. Having effective risk management solutions with strong reporting and dashboard capabilities help capture real-time risk information from different sources and enables data-driven decisions. Such solutions will also enable enterprises to accelerate the exploration and discovery of valuable insights and apply them to achieve a business advantage.
A Five-Point Checklist to Assess Cybersecurity in Your Organization’s Enterprise Risk Management Framework
1. Are cyberattacks considered as a top threat in your organization?
2. Is cybersecurity an enterprise-wide risk management issue and not an IT risk within your enterprise?
3. How engaged is your board and CEO in managing cybersecurity risks?
4. Do you evaluate the effectiveness of your business continuity plan in the context of a cyberattack?
5. How is threat intelligence/monitoring incorporated into your enterprise’s security efforts?
Enterprises today face a multitude of internal and external risks ranging from strategic and operational risks to legal risks, IT risks, and financial risks. But according to the Global Risks Report 2018 by World Economic Forum (WEF), cyberattacks rank among the top three risks in terms of the likelihood of occurring. Therefore, to stay secure, enterprises need to ensure that cybersecurity plans are incorporated as part of their overall enterprise risk management plan.