Most organizations recognize that cybersecurity risks pose a substantial threat to their business. However, few have prioritized cybersecurity as a business issue and developed a strategy for effectively responding to cyber threats.
These are the findings of a 2019 study of more than 1,300 executives by Microsoft and risk management firm Marsh. Although 62 percent of respondents ranked cybersecurity as a top-five risk management priority, just 30 percent had developed a risk management plan.
Only 37 percent said that business leaders are primarily responsible for cyber risk management, with 70 percent naming the IT department. Three-quarters said that the business interruption associated with a cyber threat would have a significant financial impact, but less than half had estimated their potential financial exposure.
The study points to the need for greater C-suite engagement in cybersecurity and for metrics that quantify cyber risk. A good starting point is a cybersecurity risk assessment that maps cyber threats to business impacts and lays the foundation for a comprehensive threat mitigation plan.
Elements of a Cybersecurity Risk Assessment
When assessing cyber threats, many organizations emphasize tactical tools such as vulnerability assessments, penetration tests and security audits. However, these types of assessments focus on the technical aspects of cybersecurity rather than the potential business impact of a cyberattack.
A cybersecurity risk assessment is a strategic tool that begins by identifying mission-critical IT assets and the operational processes that depend on them. Financial exposure is defined in terms of lost revenue, business disruption, customer churn, tarnished brand image, and legal and regulatory risks. The objective is to align organizational priorities and budgets with the business value of IT assets and the likelihood that a cyber event could affect them.
Without a cyber risk assessment, organizations often waste time, money and resources defending against threats that are unlikely to occur or that won’t have a material impact. Similarly, organizations can underestimate threats that could cause significant damage. When the potential costs of various types of cyberattacks are measured, executive strategists and tactical specialists have a common point of reference for making better decisions.
Putting Cyber Risk in Context
A cyber risk assessment gives important business context to cyber threats and vulnerabilities to ensure that budget and effort are applied to the right areas. It also helps to maximize the value of tactical tools by focusing on the areas of greatest risk.
The National Institute of Standards and Technology (NIST) has developed a nine-step framework for conducting a cyber risk assessment. In addition to documenting IT assets, identifying threats and determining their probability and potential impact, the NIST framework looks for weaknesses in the organization’s IT environment and evaluates how effectively existing controls can detect, prevent or mitigate threats.
Executive management receives a report with recommendations for improving the organization’s security posture based upon a cost-benefit analysis. The report can help guide decisions on budget, operations, policies and procedures, as well as the implementation of security controls.
Cyber risk assessments should be conducted by third-party experts working in cooperation with in-house IT staff. The external perspective provides an objective analysis of the organization’s current security posture and potential risk.
The Technologent team has developed proven assessment methodologies that enable us to identify and measure vulnerabilities and recommend areas of improvement. Give us a call to get started!