A Guide to Managing Cybersecurity Risk for the Future

Digital transformation and risk management

In the age of digital transformation, businesses and organizations around the world and across industries are adopting new technologies to improve efficiency, add value and drive innovation. During COVID-19, organizations worldwide found creative ways to extend their digital services for customers, citizens, and employees.

But this rapid transformation increased the probability of cyber incidents and heightened the level of digital risk to organizations and individuals. It has also led to regulatory changes. The speed at which digital technology took hold left many organisations underprepared to protect their most important assets.

With so much sensitive data, digital transformation brings new kinds of threats which organizations, regardless of size or level of complexity, must manage. Cybersecurity incidents can include:

• Data breach
• Systems being unavailable
• Information integrity compromised

In cases involving fraud or theft, the outcome of a cybersecurity incident can be severe financial losses, extended disruption, or worse. It has been reported that 60% of small businesses go bankrupt within six months of a cyber-attack or data breach.

Asking the right questions to better manage cybersecurity

As companies increasingly rely on information technology for their business operations, protecting digital assets and the information they contain has never been more important. But even with a multitude of international standards and frameworks to help, most organizations struggle to manage their cyber risk effectively. Why?

• The definition of cyber risk is inconsistent, misunderstood and typically uses vague qualitative measures
• Cyber risk management is siloed and inaccessible to the very stakeholders who should be engaged in this governance process
• Organizations lose sight of why they manage cyber risk in the first place.

‍

In order to protect their most important digital assets, businesses, organizations, and government agencies must first identify the assets, understand how they support business activities, and determine how to protect them by identifying the threats and impact of a cyber incident. This might sound simple, but many businesses struggle to articulate exactly what it is they’re trying to protect and why it needs protecting.

‍

Further complicating the issue, digital transformation has altered the risk landscape. In a global, interconnected economy, the supply chain now extends to third-party software vendors and service providers. We believe a successful cyber risk management programme which addresses these issues should:

• Measure information technology risk scientifically and in terms that decision-makers easily understand
• Prioritize safeguards or controls that improve resilience, recovery, and containment of financial loss from cyber incidents and not just focus on the technical controls intended to avoid incidents
• Be an ongoing corporate governance activity that includes leadership from all functions including the board.

The leadership imperative in cybersecurity

Although digital transformation took hold almost overnight, governance models have been slow to react. We believe that failing to implement proper cyber risk governance represents negligence by the board and senior management. Globally, many regulators are starting to reach the same conclusion. Soon, most organizations will be obliged to have effective and demonstrable cyber risk management governance.

‍

Solving an enterprise issue of this scale needs leadership support. It involves setting the tone at the top, starting with the board of directors and other business leaders. Cyber risk cannot be left to the CISO and CIO to manage in isolation. It is a business-wide issue where every function must be aware of cyber and technology risk associated with their activities and the choices available to safeguard their digital assets.

To achieve this aim, cyber risk management needs a universal language, so everyone easily understands what’s at stake. Financial measures are this universal language, and the quantification of risk in financial terms will enable a massive shift in the governance of information security. Stakeholders must have confidence in the financial data presented and for this to happen quantifying cyber risk in financial terms must be based on a transparent standards-based methodology. We will discuss open standards and risk quantification in a later section.