Organizations Are Struggling to Operationalize Their Knowledge of Risk
Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management?
Consider these facts… last Friday, the world faced the biggest cyber-attack yet, with more than 300,000 organizations in more than 200 countries falling victim to the WannaCry ransomware. The malware exploited a known vulnerability in the Microsoft Windows SMB Server, for which the vendor had provided a patch on March 14, 2017. Unfortunately, many organizations had not patched or were simply running on operating systems that had reached their end of life (e.g., Windows XP and Windows Server 2000) and do not receive new security updates. While the attack’s impact has been massive, the story behind it is very characteristic of any successful cyber-attack — hackers are exploiting known vulnerabilities and are betting on the fact that organizations don’t know how to fix what really matters.
That’s where cyber risk management comes into play. Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.
However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.
When implementing cyber risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.
Risk Management Perceptions
Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a cyber risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.
Instead of relying on employees to implement cyber risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of an intelligence-driven and platform-based system. Pitfalls to look out for include making sure that the derived risk scores are based on a scientific approach that take a multitude of factors (i.e.., vulnerability risk rating, IP reputation, accessibility, and business criticality) into account rather than singling out for instance just the external risk exposure of an organization. In this context, it is essential to assure proper integrations with internal security intelligence data sources to secure investments into existing IT and security tools and to leverage the data to unify with external threat data and business criticality.
Organizations that address the above-mentioned inhibitors to cyber risk management head-on, can significantly reduce the time it takes to identify their cyber risk exposure, quickly orchestrate remediation, and monitor the results. In case of the WannaCry outbreak, a properly implemented cyber risk management program would have identified the exposure and business criticality of the threat weeks prior to the attack, giving the organization plenty of time to patch systems in a controlled and orderly fashion.