Our last article presented business leaders with a question not always considered synonymous with cyber risk – how do you successfully assess and measure cyber culture within an organization? Taking this series and our theme of management attention to the next level, we’ll pose another question to business leaders: How do you know if your approach to cyber risk management, and technical cyber risk assessments specifically, is the correct approach? The simple answer is that you need to involve the business and ensure that your technical cyber risk assessments align with your business strategy and objectives. However, the implementation of this practice is not so simple.
Cybersecurity is no longer just technology focused. Security leaders are involving business leaders and their teams to strengthen and enhance the cyber resilience of the organization in an integrated way. Cyber is improving and leveling the playing field with its attackers. Getting the most value for every cybersecurity dollar spent becomes more critical as entities automate, as every new automated process and asset becomes a new vulnerability for cyberattack.
To make things even more challenging, most executives lack confidence in the budgeting process. According to a recent study1 of over 3,000 companies, more than half of business and tech/security executives indicated that they lack confidence that cyber spending is aligned to the most significant risks. They lack confidence that their budget funds remediation; that risk mitigation and/or response techniques will provide the best defense; that budgets provide the resources needed for a severe cyber event; or that the process monitors the cyber program’s effectiveness in comparison to expenditures. Cyber budgets could align to overall enterprise or business unit budgets in a strategic, data-driven way, but most executives lack confidence that their current budgeting process does this. They similarly lack confidence that cyber budgets provide proper controls over emerging technologies.
So, it stands to reason that in conducting technical cyber risk assessments, the business wants to make sure that the most critical vulnerabilities are identified and that they are spending their money on mitigating controls that are: 1) aligned in support of its strategy and 2) will provide the greatest return for the implemented control. To do this, care must be taken to ensure that technical cyber risk assessments are performed with the right participants and are conducted with an eye toward the strategic objectives of the company. The primary purpose of a cyber risk assessment is to help inform decision-makers and support proper risk responses. It also provides an executive summary to help executives and directors make informed decisions about security.
The most basic reasons to perform a technical cyber risk assessment are:
Technical cyber risk assessments not only help to clarify what vulnerabilities the organization has but improves the organization’s understanding of its strengths and weaknesses in their ability to recover from any incident with the least impact and disruption to the organization. Cyber risk assessments are integral to information risk management, as well as to an organization’s enterprise risk management strategy.
Cyber risks are usually categorized as zero, low, medium, and high. Categorization factors include: 1) a definition of what the threat is; 2) a determination of the environment’s vulnerability to the threat; and 3) the reputational or financial damage that could result from a network outage or breach.
If the organization has no physical security, there would be increased risk associated with a cyberattack against an operating system with a known vulnerability that is easily exploitable via physical means and which stores high value information. If the organization has strong IT staff who can identify vulnerabilities (weaknesses in the control environment, in this case, the operating system) that can be exploited and patched or update the operating system to the latest version, the vulnerability can be mitigated, even though the information value is still high because the vulnerability was patched in the new version of the operating system.
Note that there are very few things with zero risk to a business process or information system. Risk simply means there is some level of uncertainty. If something is guaranteed to happen, it's part of general business operations and not a risk at all.
Before assessing and mitigating risks, it is important to understand what data and infrastructure is in place and the value of the data that is being protected.
A good first step is to audit data assets and ask:
Next, define the scope and intent of the assessment. Ensure that the purpose and intended deliverables of the assessment are clearly defined. Follow this 7-step plan to execute the assessment.
If it costs more to protect the asset than it's worth, it may not make sense to implement a mitigating control to protect it. While going through this evaluation, it may be prudent to consider whether the organization could be faced with a reputational impact in addition to a financial impact. There is a fundamental difference in developing the support for the protection of an asset (be it information, control system, business process or IP), and other investment opportunities. The key is to recognize that in prioritizing risks, the cost of prevention vs. asset value is clear. Conducting Technical Cyber Risk Assessments with a team of business representatives that understand the business, its operations, communications, and its strategy, will promote alignment to corporate strategy, and enable the objective assessment of assets, threats, vulnerabilities and mitigating controls to ensure that a return on controls is indeed achieved.
1 PwC Consulting, 2021. Rethink your cyber budget to get more out of it. Digital Insights. https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights/cyber-budget.html
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.