Launching Your Cyber Risk Review
Posted in: Commercial Insurance
Businesses tend to focus most on purchasing the latest technology to protect against cyber threats without fully understanding their organizational exposures. While technology is critical, it should only be a part of a holistic cyber resiliency strategy. A good place to begin for many leaders is to establish a fundamental understanding of cyber risk, how it impacts their organization, and seek cybersecurity strategies that address the people, process and technology exposures. Armed with this knowledge, leaders should embrace their role as a cybersecurity champion for the organization.
Once your organization has a fundamental understanding of cyber risk and how it can impact your organization, the next step towards cyber risk resiliency is to establish a cyber risk exposure baseline specific to your organization. I recommend starting with a cyber risk review. The outcome of this review will not be a complete technical risk assessment, but it will help you and your team build a cyber risk profile to improve internal communication and decision making. The steps discussed below can guide you to better understand what needs to be protected as well as identify security gaps and technologies and external experts you may need to engage to develop and implement your cyber risk management strategy.
Follow these eight steps to facilitate meaningful communication within the organization about cyber risk management and kick-start the cyber risk review process.
- Start With Your Mission: Any cyber risk management strategy should be guided by your organization’s mission and purpose. This helps you elevate cybersecurity to an enterprise risk management function. By starting with your mission, you begin to frame the cybersecurity discussion as a business issue rather than in IT task. Focus on what is most important to your organization so you’re not distracted by trying to defend against every possible threat. In other words, your aim is to protect the data and systems that are essential to achieving your unique mission.
- Understand the Threat Landscape: Next, begin examining the threat landscape from the perspective of your organization. Consider possible vulnerabilities and impacts, and think about other entities you are connected to that might be a target for malicious actors. Consider the threats that organizations similar to yours in your industry have experienced. Be sure to consider any regulatory requirements your organization is required to follow regarding cybersecurity controls and privacy. If you have a cybersecurity team, work with them to identify the most common attacks your organization has experienced, and ask them to help you prioritize the threats and vulnerabilities that are most important for your company to consider. Again, this reinforces the resiliency-based approach — prioritizing activities and investments based on your likely threats that have the biggest impact on your ability to achieve your mission.
- Understand Your Computer Systems and Network: Make sure you have a thorough understanding of your network and the technology you use to conduct operations, including software applications and cloud services. Network maps and data flow diagrams can be useful in the cyber risk management planning process. Be sure you know where sensitive information is saved, and how it is accessed and transmitted. It is also critical to identify, manage, and monitor access to critical systems and data. This process will take time, but it is essential to determine the possible attack surface you need to protect and help ensure you are backing up all mission-critical systems and data.
- Identify and Evaluate Essential Data, Systems, and Services: Identify the data you are required to collect, process and transmit to accomplish organizational goals. Inventory and rank all the applications, software, systems, communication and collaboration platforms you rely on to achieve your mission. This will help you assess the impact and extent of business interruption due to a cyber incident and estimate the costs of a data breach.
- Assign a value to your cyber risk. This important step will improve communication and decision making by connecting the impact of a potential cybersecurity failure to the financial viability of the business. New tools, helping businesses value cyber risk, such as CyVaR, are evolving and can help provide a cyber risk value unique to your organization. Another resource to get the conversation started about the value of your cyber risk is a set of simple questions the National Institute of Standards and Technology (NIST) outlines in its Small Business Information Security
- Set a Cybersecurity Goal and Budget: In the context of your mission and industry, determine cybersecurity goals based on likely threats, regulatory and compliance requirements, current vulnerabilities, and other factors that are common to your type of organization. Identify both a technical cybersecurity goal as well as a cyber risk management process goal.
- Technical cybersecurity goals can also be called Cybersecurity Maturity Models, and are based on proven defense strategies that align with an organization’s likely threats, vulnerabilities and possible enterprise impacts.
- Cybersecurity process goals focus on the business and people aspects of cybersecurity and the overall strategic approach to cyber risk management. NIST’s Cybersecurity Framework provides four cybersecurity implementation tiers that define the risk management process for partial, risk-informed, repeatable and adaptive risk management processes.
A good way to plan and measure success is to establish your current cybersecurity baseline, then plot out a realistic implementation timeline to achieve your goals. Begin creating a cybersecurity budget that is separate from your IT and infrastructure budget. This will help raise the awareness and importance of cybersecurity within your organization and help you measure your investment in security.
- Identify Cybersecurity Technology, People and Process Controls: To achieve cybersecurity improvement goals, you need to know what current cybersecurity controls you have in place. This includes technology controls, cybersecurity policies as well as training for your technical and non-technical staff. Taking a good look at your current controls helps identify where you might have gaps. Use an industry framework such as NIST Cybersecurity Framework, Center for Internet Security Controls or another industry standard reference to guide this process.
- Implement, Measure and Repeat: With this foundation in place, the next step in the process is to work with internal subject matter experts or external cybersecurity consultants and service providers that can help you complete the cyber risk management assessment process and begin implementing strategies to achieve your cybersecurity goals. Implementation should include milestones and other elements that help you measure the effectiveness of your cyber risk management and resiliency efforts. As you implement new strategies, it is important to conduct this type of analysis on a regular basis. This will allow you to continually improve and make sure your activities align with the current cyber threat landscape.
The exact path, strategy, resources and external service providers you use to achieve your cybersecurity goals will vary from one organization to the next, but starting down this recommended path can help organizations take meaningful steps forward.
The final installment of this series will focus on incident response planning and cyber insurance. These are essential components of any cybersecurity strategy, which organizations can begin implementing immediately, no matter where they are in the cyber risk management or enterprise risk resiliency planning process.
If you have questions about how to increase your organization’s cyber resiliency or conduct an effective cyber risk review, contact me at jnapp@psafinancial.com.
