The benefit of covering all of Asia Pacific (APAC) is that you get to see and experience how things are done broadly within the region. One of the things that has cropped up a few times is the apparent divide between risk and cybersecurity. And this is unfortunate as where I have seen this done well (risk and cybersecurity working together), the level of security maturity and awareness of cybersecurity risks with Boards and Executives seems to be greater.
"For cybersecurity initiatives to be successful in an organization, both risk and cybersecurity must work together"
The obvious question that arises is why should risk and cybersecurity work closer? The short and simple answer is so that cybersecurity risks are appropriately understood, documented, prioritized and treated. How this happens is that risk will usually determine the cybersecurity risks that may impact an organization. Cybersecurity will then work with risk to help manage these risks at a controls level.
The overall process though is a little more complex than that. I will try to highlight this within the rest of this paper.
The first thing we have to explore are the roles that both areas play within an organization. These are as follows:
• Risk – the risk division manages all risks for the organization that may impact it in a detrimental manner. These will include cyber risk and its associated impacts. An effective risk management division will clearly quantify these risks and provide ways to manage these risks according to the organization’s risk appetite. The risk appetite should be defined and agreed to by the Board and Executives
• Cyber Security – the function of the cybersecurity division should be to manage all cybersecurity related risks for the organization. The primary function should be understanding these risks, and implementing and managing controls to manage these risks so that the organization is not adversely impacted by a cybersecurity incident.
The above definitions are not meant to fully define the role of each division, but simply to summarize the core functions. And even if you just look at that, the linkages become obvious.
Based on my experience in the APAC region, where I have seen the collaboration working well between risk and cybersecurity entails the following:
• Risk quantifies and documents the risks that may impact the organization
• Cybersecurity risks are then discussed and agreed to with the cybersecurity division
• The heads of risk and cybersecurity (Chief Risk Officer and Chief Security Officer) then work together to determine a risk treatment plan
• They will then jointly present this to the Board and Executives to:
• Firstly, educate them on the cybersecurity risks likely to impact the organization with priorities assigned based on likely impact
• Outline risk treatment plans for each prioritized risk
• Present return on investment figures to the Board and Executives to gain support for the risk treatment plan that then becomes a cybersecurity program of works to enhance the organization’s security posture and reduce its risk exposure.
• Once the program is running, both ‘heads of’ will regularly present to the Board and Executives the progress being made and clearly articulate the reduction in cybersecurity risk
• The overall risk posture and treatment plans are then updated at least six months in light of new and emerging cyber risks.
Three points need to be at this juncture:
1. Cybersecurity initiatives should be part of the overall organizational risk management framework and cybersecurity risks should be prioritized and treated within this framework as any other organizational risk
2. Any cybersecurity initiative should be aligned to the organization’s risk management goals and justified in monetary terms with respect to risks reduced
3. The Board and Executives should be a part of this process in terms of understanding the need for cybersecurity initiatives as well as be the ones that approve these initiatives. Regular and accurate reporting on this program of works is important in order to ensure the Boards and Executives have visibility of progress being made (security is a journey after all!)
So to summarize, for cybersecurity initiatives to be successful in an organization, both risk and cybersecurity must work together:
• Risk will help determine and quantify the cybersecurity risks that may impact the organization
• Cybersecurity will validate these, help prioritize and implement controls that will help manage these risks.