As Cyber Risks are evolving with greater frequency and severity, Companies are becoming aware that technology-based innovations and initiatives open doors to Cyber Risks and pose greater governance challenges. From a governance perspective, one of the Risk, Compliance and Governance committee’s most important tasks is to verify that management has a clear perspective of how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of a cyber Risk incident— and the ability to manage and mitigate any damages that could occur.
An effective Cyber Risk Governance strategy is the one that establishes strategic direction and structures and facilitates effective real time Cyber Risk reporting, examines threat exposure, accounts for the company’s Risk appetite and addresses the need of being Secure, Vigilant and Resilient.
Once a robust Governance Strategy has been developed, the next important step is to implement it with continuous monitoring, execution and measuring the performance periodically. The key here is to establish appropriate quantitative measures to continuously evaluate the Company’s Security status. This enables monitoring and reporting on cyber risk, and acting promptly on results that fall outside of predefined thresholds or risk appetites. When the alignment between Strategy and Execution is off, it becomes the Governance committee’s duty to to construct a more tightly aligned program. In their oversight role, the committees need to know the right questions to ask and how to monitor the effectiveness of management’s plans and responses.
When it comes to Execution, two very important factors to gauge the Strategy’s usefulness are Cost Effectiveness and ability to get real time Analytics for Benchmarking.
Cyber incidents have both hard costs like penalties, public relations costs and soft costs like losing customers and reputational damage that need to be weighed. An understanding of the potential financial impact of an attack can help calibrate the Organization’s levels of investment. Boards can implement steps to understand, measure and rearrange if needed, the management’s rationale for investing and allocating resources to monitor cyber risk, guard against it and expedite response and recovery. Among the questions boards can ask are: How will spending allow the organization to see and anticipate threats, and to quickly recognize when an attack has occurred? Is cyber insurance appropriate, and if so, what type and level of coverage are needed, and at what cost?
Analytics and Benchmarking
Risk Committees can rely on useful metrics and analytics to gauge whether the organization is managing cyber risk at an acceptable level. Management can work with directors to develop a dashboard to identify the parts of the business with the greatest and least amounts of cyber exposure and the initiatives in place to mitigate risks. Boards can also ask management about its use of risk-sensing tools. A recent global survey of C-level executives conducted on behalf of Deloitte Touche Tohmatsu Ltd. found that while many organizations have risk-sensing capabilities, they often overlook key elements and lack technical depth.
To summarize, while Strategy is the first and vital step for Cyber Risk Governance, a methodology for continuous execution and monitoring is what becomes the game changer. Agile, Mobile & Secure are the buzz words for Success in 2019 and to help you achieve that, let’s collaborate in 2019 and transform your Governance processes for the best.
Visit the very informative, exciting and insightful Webcast on effective Cyber Risk Governance.
Wishing our audience a very Happy Holiday Season 2018 !
Visit our AppExchange listing for more details on our innovative Product Suite