The benefit of covering all of Asia Pacific (APAC) is that you get to see and experience how things are done broadly within the region. One of the things that has cropped up a few times is the apparent divide between risk and cyber security. And this is unfortunate as where I have seen this done well (risk and cyber security working together), the level of security maturity and awareness of cyber security risks with Boards and Executives seems to be greater.
The obvious question that arises is why should risk and cyber security work closer? The short and simple answer is so that cyber security risks are appropriately understood, documented, prioritised and treated. How this happens is that risk will usually determine the cyber security risks that may impact an organisation. Cyber security will then work with risk to help manage these risks at a controls level.
The overall process though, is a little more complex than that. I will try to highlight this within the rest of this paper.
- Risk – the risk division manages all risks for the organisation that may impact it in a detrimental manner. These will include cyber risk and its associated impacts. An effective risk management division will clearly quantify these risks and provide ways to manage these risks according to the organisation’s risk appetite. The risk appetite should be defined and agreed to by the Board and Executives
- Cyber Security – the function of the cyber security division should be to manage all cyber security related risks for the organisation. The primary function should be understanding these risks, and implementing and managing controls to manage these risks so that the organisation is not adversely impacted by a cyber security incident.
The above definitions are not meant to fully define the role of each division, but simply to summarise the core functions. And even if you just look at that, the linkages become obvious.
Based on my experience in the APAC region, where I have seen the collaboration working well between risk and cyber security entails the following:
- Risk quantifies and documents the risks that may impact the organisation
- Cyber security risks are then discussed and agreed to with the cyber security division
- The heads of risk and cyber security (Chief Risk Officer and Chief Security Officer) then work together to determine a risk treatment plan
- They will then jointly present this to the Board and Executives to:
- Firstly, educate them on the cyber security risks likely to impact the organisation with priorities assigned based on likely impact
- Outline risk treatment plans for each prioritised risk
- Present return on investment figures to the Board and Executives to gain support for the risk treatment plan that then becomes a cyber security program of works to enhance the organisation’s security posture and reduce its risk exposure.
- Once the program is running, both ‘heads of’ will regularly present to the Board and Executives the progress being made and clearly articulate the reduction in cyber security risk
- The overall risk posture and treatment plans are then updated at least six monthly in light of new and emerging cyber risks
Three points need to be at this juncture:
1. Cyber security initiatives should be part of the overall organisational risk management framework and cyber security risks should be prioritised and treated within this framework as any other organisational risk
2. Any cyber security initiative should be aligned to the organisation’s risk management goals and justified in monetary terms with respect to risks reduced
3. The Board and Executives should be a part of this process in terms of understanding the need for cyber security initiatives as well as be the ones that approve these initiatives. Regular and accurate reporting on this program of works is important in order to ensure the Boards and Executives have visibility of progress being made (security is a journey after all!)
- Risk will help determine and quantify the cyber security risks that may impact the organisation
- Cyber security will validate these, help prioritise and implement controls that will help manage these risks.