The risk-based approach to cybersecurity: As regulators challenge companies on cyber resilience, firms must identify biggest gaps, overlay defenses, overcome human error
Top managers at most companies recognize cyberrisk as an essential topic on their agendas. Worldwide, boards and executive leaders want to know how well cyberrisk is being managed in their organizations – but adequately and accurately identifying cyber risks, threats, defenses, resilience and recovery efforts and implementing them in terms of systems, humans and processes is easier said than done.
In more advanced regions and sectors, leaders demand, given years of significant cybersecurity investment, that programs also prove their value in risk-reducing terms.
Regulators are challenging the levels of enterprise resilience that companies claim to have attained. And nearly everyone—business executives, regulators, customers, and the general public—agrees that cyberrisk is serious and calls for constant attention.
In short, that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to target.
More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.
To understand the approach, a few definitions are in order. First, our perspective is that cyberrisk is “only” another kind of operational risk.
That is, cyberrisk refers to the potential for business losses of all kinds—financial, reputational, operational, productivity related, and regulatory related—in the digital domain. Cyberrisk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyberrisk is a form of business risk.
Furthermore, cyberrisks are not the same as cyberthreats, which are the particular dangers that create the potential for cyberrisk. Threats include privilege escalation, vulnerability exploitation, or phishing.
Cyberthreats exist in the context of enterprise cyberrisk as potential avenues for loss of confidentiality, integrity, and availability of digital assets. By extension, the risk impact of cyberthreats includes fraud, financial crime, data loss, or loss of system availability, (via McKinsey).
Monroe’s Musings: McKinsey, not surprising due to its thought leadership cache in so many nuanced corporate and financial risk areas, has been killing it lately with whitepapers in the area of financial crime, with a recent piece touting the virtues of AML, fraud and cyber convergence – interestingly the very mission ACFCS is founded.
This whitepaper on cyber risk is powerful, precise and polished piece that cuts through the jargon of the cyber attack and defense realms to yield what could be a truly transformative way to more effectively and holistically surveil the full landscape of virtual risks at an institution and systematically shore up those vulnerabilities in the real and digital worlds.