<img src="https://secure.leadforensics.com/85060.png" style="display:none;">

Understanding and mitigating cyber risk: Where do risk managers start?

the_threat_from_cyber_riskIf you attended or read reports from the RIMS annual conference in Denver in April or the AIRMIC conference in Birmingham, England, a few weeks ago, it won’t come as news to you that risk managers are being exhorted to take greater ownership of cyber risk. I seem to be seeing more and more articles with headlines like “Risk managers urged to play greater role in cyber risk management.”

There seems to be a consensus building that managing cyber risk should no longer be the responsibility solely of information security and information technology teams. The cover story in Risk & Insurance’s April issue, “Cyber: The New CAT,” put this new reality bluntly and prominently, right below the headline: “In every industry and at every company size, cyber risk is a foundation-level exposure that every business must confront—one that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks [emphasis added].”

That was then. This is now.

When I was leading the information security department for Atlanta-based Internet service provider Earthlink (it’s been more than 6 years since I worked there), I met monthly with the risk manager to discuss risks associated with IT systems, processes, policies and procedures. At the time, such regular meetings were something of a novelty, but it made sense because Earthlink is a tech company.

Today, it could be argued, all companies are in practical terms tech companies. That is, technology systems are core to companies of all kinds nowadays. 

According to Kevin Kalinich, global practice leader for cyber risk and network risk with Aon Risk Solutions, “If you take a look at the public companies’ 10-Ks and publicly disclosed statements, what are they emphasizing that’s going to differentiate them from their competitors, increase sales, decrease costs and maximize efficiency? They focus on the use of technology and the use of information assets.”

As a result, cyber risks have grown exponentially across all industries—not just technology, financial and healthcare firms, which for a long time were the primary targets of cyber criminals.

Where to begin?

For the sake of argument, let’s accept the premise that getting more heavily involved with cyber risk should be among the risk manager’s very top priorities. The question remains of how, exactly, a risk manager should approach the task of understanding and then ensuring proper mitigation of those risks. How does she begin to comprehend the enormous scope of cyber risk, let alone begin a workable process of mitigating those risks (while handling all the other risks still on the docket)?

The same risk management principles apply in the cyber realm that hold for approaching any risk. As the Risk & Insurance article concludes:

It starts with engineering out the risk to whatever extent possible…. [It] might be replacing old servers or upgrading any existing automated intrusion detection system. Security experts stress, however, that cyber risk is not an IT exposure, it’s an enterprisewide exposure. Therefore vulnerabilities need to be identified across an entire organization, with policies and procedures modified accordingly.

In practice, few risk managers will begin advising IT teams on replacing servers and the like (nor would the typical risk manager want to do that). However, addressing enterprise-level vulnerabilities and the related policies and procedures is right up the risk manager’s alley. According to Carolyn Williams, technical director at the UK’s Institute of Risk Management:

As cyber risk is seen more and more about people and culture—and not the technology and security kit—risk managers are becoming more involved. You can have all the processes in place but if people do not do as they are supposed to, or if the company culture does not promote appropriate behavior, that is where there is a role for the risk manager.

Complicating matters, however, is the fact that companies of all sizes and varieties are today dependent on third-party, cloud-based business solutions. A great portion of a company's cyber exposure lies outside its own systems; yet, in the coverage of cyber risk I’m reading, there’s not a lot of attention paid to the risks posed by third-party software partners. 

Begin in the cloud

I think the most significant risks and exposures of the typical organization’s cyber risk are with third-party providers. Think about it: as a risk manager, in the vast majority of cases, it’s simply impossible to know what a third party’s policies, procedures and controls are with regard to data access and security. That’s why I’d advise risk managers to begin their immersion in cyber risk with an in-depth analysis of the critical business systems that have been outsourced to third parties—and prioritize the solutions that host or process sensitive and/or regulated data first.

At many companies, employees across the organization are using cloud solutions that require only an end-user license agreement and not a traditional business contract. IT, IS and risk management teams may have no knowledge of the range of third-party, cloud-based solutions in use across the orgianzation. By extension, there’s no knowledge of where the data is located and who has access to it (meaning not only what individuals but what and how many companies have access to it).

In my next post, I’ll write more in depth about how to evaluate your organization’s dependence on third-party cloud partners and how to better understand and identify the risks associated with using outside software. The accreditations and certifications that those partners have is a big part of the puzzle; this post from March gets into that topic in detail and should tide you over until my next post.

David Black is chief information security officer with Aon eSolutions. Contact David at david.black@aon.com

 

RMIS Guide

Jun 27, 2014

 | Originally posted on 

Subscribe by Email

No Comments Yet

Let us know what you think