Cyber Risk can be defined as any risk from systems or elements of a system that are part of or have a presence in cyber space. Cyber risk can include damage to cyber systems and system elements leading to financial, operational, data, or reputational losses.
IT Risk, on the other hand, includes any threat that may arise from a breach of security, non-compliance, lack of availability, or poor performance of IT resources that can affect the data, processes, and systems of your organization. IT Risk also includes the risk that may arise from the IT systems of an organization.
While the definitions of IT Risk and Cyber Risk may overlap at some places, what’s important is to understand that the risk from a compromised IT and cyber breach extends beyond monetary and data losses and today encompasses risks to productivity, intellectual property, and more—making the managing of IT and Cyber Risk critical to an organization.
Cyber security has increased in complexity: Ransomware, phishing and spear-phishing attacks, bring your own device (BYOD) threats, rapid migration to the cloud, missing security patches, and data breaches due to remote work are just some of the many cyber threats and vulnerabilities that every organization struggles with. Businesses were impacted by 50% more cyber-attack attempts per week in 2021 compared to 2020. This increase in cyber risks has compounded cyber security complexity.
Increased dependence on IT vendors and third-party providers: To meet business goals and gain the much-needed competitive advantage, organizations are increasingly relying on IT vendors and third-party suppliers. This has led to the threat from partnerships being expediated, with 60% of cyber attacks coming from third parties according to Third-Party Risk: A Turbulent Outlook Survey Report 2022.
Cyber regulations remain complex and in need of harmonization:In response to protect individual data privacy and help organizations strengthen their cyber posture, international and local governments and regulatory bodies have mandated several security standards. Regulations such as the General Data Protection Regulation, the California Consumer Privacy Act, the Cybersecurity Law of the People's Republic of China, and many others, while helping ensure digital privacy, have also created a complex and fragmented regulatory environment for organizations. Conflicting regulations and compounded costs can sometimes result in weakened defenses.
Cyber security expertise and infrastructure deficiency:
An acute dearth of cyber security professionals and the necessary infrastructure is another major roadblock to organizations building cyber resilience. The 2022 Global Cybersecurity Outlook survey of cyber leaders by the World Economic Forum found that only 37% have the people and skills they need.
Cyber risk not being treated as a business issue: Several businesses continue to view, and thus treat, cyber risk as an IT issue. Yet, cyber breaches result in business consequences. The average cost of a data breach continues to increase year on year. In 2021, this worked out to 4.24 million U.S. dollars. As long as cyber risk mitigation is treated as an IT issue, it remains a challenge. Cyber risk has to be understood as a business criticality at the asset level.
Absence of a corporate cyber risk program: The lack of a formal corporate risk program continues to be a major challenge to cyber GRC. A 2021 McKinsey survey of 100 organizations across industries found that a mere 10% aimed at reducing cyber risk. Almost 70% tackled cyber security challenges by filling security gaps as and when it was needed.
Lack of real-time visibility into cyber risks: Visibility into cyber risk constantly changes—each time a device or endpoint leaves or joins the network. A 2021 Gartner survey reveals that the use of storage/sharing and real-time mobile messaging tools increased by 80% during the pandemic. Multiple systems, tools, siloed processes, third-parties, etc., all contribute to the lack of visibility.
Inability to communicate and measure cyber risk exposure easily: Risks are spread across systems and often measured in vague terms such as high/medium/low that make prioritizing risk mitigation and investments challenging. Additionally, boards and senior leaders want to understand risk exposure in simple, financial terms.
Cyberspace today transcends traditional boundaries. Accelerated digital transformation, the exponential proliferation of digital trends including the shift to remote work during the COVID-19 pandemic, and the increasing dependence on third-party suppliers and IT vendors are a few of the many drivers that have resulted in expanded cyber ecosystems.
A direct consequence is heightened cyber risk, which is now listed as one of the top five risks identified in the World Economic Forum’s Global Risk Report 2022.
The increasing frequency of cyber incidents has proved to be not just costly through the damage caused to IT ecosystems but also disruptive through the paralyzing of critical infrastructure. Cyber attacks also can cause serious reputational damage.
As a result, cyber leaders across the world are seeking to build a stronger cyber-resilience posture, instead of a cyber-defensive posture. They are exploring innovative technologies and integrated strategies to help them anticipate and quickly adapt, if needed, to cyber incidents. A connected cyber governance, risk management, and compliance (GRC) approach becomes invaluable in building the cyber resilience needed.
However, while 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk-management strategies, only 55% of security-focused leaders surveyed agree with the statement, as per the World Economic Forum’s Global Cybersecurity Outlook 2022.
Protect Data: “Data is the new oil.” We have all heard this statement before. Data is the most important asset in the current technology-driven economic system. Having robust frameworks and policies for IT and cyber security protects sensitive data from theft, manipulation, and misuse. For example, many cyber attackers are using zero-day exploits today to compromise organizational data with recent examples such as the Microsoft Exchange Server data breach of 2021. Zero-day attacks are called so because they appear out of the blue, and not ensuring information security in such cases can prove to be very costly.
Ensure Regulatory Compliance: Owing to numerous data breaches in critical sectors such as finance and healthcare, regulatory compliance regarding customer and client data has tightened in recent years. Devising and implementing IT and cyber security policies in alignment with pertinent regulations helps the organization to create a healthy business environment and prevents legal issues due to lapses in compliance. Indeed, for enterprises operating in the Banking and Financial Services sector, ensuring IT security is a basic compliance requirement
Minimize Business Disruption and Economic Losses: The economic costs of inadequate IT and cyber security coverage are staggering. When direct and indirect financial consequences are examined, organizations lose significant business due to downtime and disruptions caused by IT and cyber breaches. Investing in IT and cyber security is mandatory to ensure business continuity and operations.
Minimize Reputation Losses:Reputation is the holy grail on which businesses thrive. According to a report by Forbes, as many as 46% of organizations were affected in terms of damage to their reputation on account of data breaches. This figure increases when third-party security breaches are also accounted for, highlighting their interconnected nature. Thus, businesses need to consider IT and cyber security in terms of upholding reputation and brand image, and the subsequent effect that this has on their revenues. This intangible component is also the most commonly overlooked aspect of IT security today.
Increase Customer and Client Confidence: Robust IT and cyber security measures build external as well as internal confidence in the organization. Customer and client data protection along with employee data protection builds the ecosystem of data security which the organization can leverage to build its business. Without investing in these areas, organizations stand to lose out not only on existing business, but business survival as a whole may turn into a difficult ordeal.
Regulations and compliance standards are usually industry-specific such as HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard) for Healthcare, and BFSI and Retail respectively. Frameworks such as ISO and NIST cover a range of industries and serve as the basis for ensuring IT and cyber security compliance.
ISO 27001: ISO 27001 is part of the International Standards Organization (ISO) ISO/IEC 27000 series that deals with standards for information security. ISO 27001 specifically centers around enabling the framework for information security through an Information Security Management System (ISMS). The core of the framework focuses on risk identification, assessment, and treatment through the implementation of security safeguards. For example, it includes physical controls such as using CCTV and alarm systems in the organization.
NIST Cyber Security Framework (CSF): The NIST CSF framework takes a proactive approach and helps build a strong cyber security posture through its five core functions - identify, protect, detect, respond, and recover. Each of these functions has categories and subcategories as well as references. For example, under the “identify” function, Asset Management is a category and physical devices and systems inventory within the organization is a subcategory. Further, NIST CSF has four tiers that serve as benchmarks for organizations.
NIST SP800-53: This NIST framework provides a list of standards and guidelines for information systems in operations, management, and technical domains. These guidelines are multi-tiered, classified into low, moderate, and high controls based on the risk impact. It also introduces baselines that can act as starting points for organizations to secure their information systems and infrastructure.
SOC 2: SOC 2 is applicable to all technology service providers and highlights the criteria for information security specifically focusing on the safety and privacy of customer data. This framework is based on five trust principles which include security and availability along with processing integrity, confidentiality, and privacy.
HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that aims to provide data privacy for medical information. HIPAA applies to all HIPAA-covered entities which is any organization or corporation that directly handles personal health information or personal health records and their business associates.
PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that is mandated by card brands such as Visa and MasterCard administered by the Payment Card Industry Security Standards Council. It requires businesses that engage in card payments to protect cardholder data and maintain the highest levels of information security.
COBIT: COBIT, or the Control Objectives for Information and Related Technologies, was drafted by ISACA to "research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers and auditors." COBIT 2019 is the latest version.
GDPR: The General Data Protection Regulation 2016/679 is a regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EUA). It applies to any organization—regardless of its location and the data subjects' citizenship or residence—if it processes the personal information of individuals in the EU and EUA.
The first step towards developing a robust IT and Cyber risk mitigation framework is understanding that the domain itself is ever-changing. Sporadic attacks of the past originating from the Dark Web have now been replaced by structured, state-sponsored attacks with the very specific aim of causing establishments to collapse.
With that context in mind, cybersecurity is a business priority and is no longer in the domain of the IT team alone. Therefore, a strong cybersecurity and information security framework takes into account every individual within the organization, the context of the organization itself, and the landscape of threats and risks surrounding it. Then, it uses this context to suggest cybersecurity best practices in ways that are unobtrusive to business as usual.
Specifically, here are the steps that can be followed to create a robust IT and cybersecurity framework:
1. The Core of the framework defines the organization’s current cybersecurity posture and recommendations for where the organization needs to be. Insights are derived from various internal and external stakeholders to come up with the Core. For example, an organization that works with multiple external vendors exposes itself to a greater risk of data pilferage and must therefore have stronger protocols in place to prevent such incidents from happening.
2. The Implementation Tiers take this process to the execution stage. For example, Tiers help define which assets serve as the organization’s Crown Jewels and must therefore be included in phase one of security coverage. Implementation Tiers also suggest the best practices to be followed on the basis of the organization’s risk appetite.
3. The Profiles within such a framework make up the third and final component of a robust cybersecurity framework. They set the vision for each department’s and function’s stake in cybersecurity, and how they can take the first step towards better coverage. It is often at the Profiles stage that organizations choose to make investments in tools and technology, such as opting for a SOC as a Service ( SOCasS) model, to help them better manage their cybersecurity operations.
Automation can help run information security processes at scale, and free up the time and effort of a human resource in running a 24X7 system. Automation in the context of User Behavior Analytics also adds a layer of impartiality to the process, a common issue with manual-only systems, particularly at scale.
MetricStream CyberGRC products such as IT and Cyber Risk Management and IT and Cyber Compliance Management empower organizations to adopt a focused, business-driven approach to managing and mitigating IT and cyber risks. IT security compliance with set regulatory standards is ensured at all times, including the creation and distribution of reports as appropriate, and helping the Information Security team stay abreast of changing compliance norms.
Cyber risk quantification is another powerful analytical tool that can drive actionable insights into risk exposure. Using powerful algorithms and building on models such as the FAIR® Model, CISOs can view their cyber risk in dollar terms.
MetricStream’s Advanced Cyber Risk Quantification and Simulation uses quantifiable mathematical modeling to help organizations accurately understand, analyze, and address their cybersecurity posture, to enable risk-informed cybersecurity investment and cyber risk management decisions. Organizations can measure, manage, and report cyber risk in monetary value – in actual currency terms. The tool, which is based on MetricStream Intelligence—an advanced analytical and AI engine that enables multiple scoring models and data science tools—allows the creation of multiple types of models and variables, unlike other companies that focus only on the FAIR® risk quantification Model.
While Cyber Risk Quantification isn’t a new practice, it’s receiving more attention these days because of the ability to measure IT and cyber risk exposure in monetary terms. It helps you determine which risks to focus on first, and where to allocate your cyber security resources for maximum impact.
Typically, cyber risk quantification uses industry-accepted standard models such as the FAIR (Factor Analysis of Information Risk) model and sophisticated modeling techniques like Monte Carlo simulations to estimate the value at risk (VaR) or expected loss from risk exposure.
By quantifying the monetary impact of a risk event, you can confidently answer questions like “How much should we invest in cyber security?”, “What will be the return on investment?”, and “Do we have enough cyber insurance coverage?”
Risk quantification can benefit multiple stakeholders. CISOs gain a deeper understanding of risk impact which helps them make data-driven decisions. Boards have more visibility into what’s at stake for the business in terms of dollar value. And executives can effectively prioritize cyber security investments, driving alignment between cyber programs and business goals.
Continuous control monitoring is another critical automated technique that enables strong cyber and compliance protection. Controls are put in place to safeguard an organization, often from industry frameworks like NIST and COSO. But these controls need to be checked regularly to ensure they’re operating properly. Continuous control monitoring automates this process, validating high-value controls on a constant basis and alerting in case of issues – providing another layer of risk protection.
MetricStream’s CyberGRC enables next-gen organizations to actively manage cyber risk and build cyber resilience. Built on the MetricStream Platform, MetricStream CyberGRC can help CISOs as they take on their new role as business enablers of the organization.
Actively manage cyber risk with:
IT and Cyber Risk Management
IT and Cyber Compliance Management
IT and Cyber Policy Management
IT and Cyber Compliance Management
IT Vendor and Third-Party Risk Management
Threat and Vulnerability Management
Advanced Cyber Risk Quantification
Building cyber resilience is a continuous process. A connected cyber GRC strategy that leverages next-gen tools and technologies provides the foundation to advance the organization’s cyber resilience.