Have you skimmed the headlines in your go-to cybersecurity trade publication today? If so, you’ve probably seen numerous articles about the latest threats and vulnerabilities, along with guidance on mitigating them.
Most of the conversations we have about managing organizational risk—whether they appear in our favorite trade newsletters or are a hot topic of debate among our analysts—typically focus on or at least start with a discussion of threats and vulnerabilities.
Understanding and taking steps to guard against threats and reduce vulnerabilities is crucial to a strong cybersecurity posture. Yet these aspects are only one part of a comprehensive risk management strategy. We ultimately care about the business functions our networks enable, not just the computers or massive racks of servers themselves. It's the disruption of those business functions and the corresponding impacts that keep us up at night.
A more holistic approach to risk management is needed to keep our organizations well protected from an increasing array of malicious activity. Effectively managing cyber risks requires us to thoroughly understand the potential impact and consequences of a cyberattack, not only to our networks but to our organization's overall operations and reputation.
Cyber risk can be defined as the "risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems." Assessing risk requires that you look at the likelihood of something happening and the consequences that would result. Likelihood is a factor of threat (who or what may be coming at you?) and your vulnerability (what weaknesses could an adversary exploit?). So, a simple equation to determine cyber risk is:
Effective risk management requires us to assess all three (threat, vulnerability, and consequence/impact) and then consider – and document – all the ways you can mitigate each one. If you’re only focused on threats and vulnerabilities, you will neither assess nor mitigate cyber risk effectively. And those consequences and associated mitigation measures will differ for each unique organization.
How to effectively manage cyber risk and how to make a comprehensive strategy
To get started, consider the threats and vulnerabilities that can impact your organization and what might happen if a system or network is compromised. One way to think about impact is to imagine what would happen if you lost the confidentiality of sensitive data, access to that data, or lost the integrity of that data. Another potential outcome is no longer having access to key communications. Beyond your IT infrastructure becoming unavailable, what are the potential impacts if an attack is successful? Which threats or vulnerabilities might result in production downtime, lost revenue, or even a public relations crisis? How will you plan for and handle those challenges?
Unsurprisingly, executives in both public and private sector industries are deeply concerned about the continuity of their operations and the impacts of any disruptions to their business. Fortunately, most understand the impact that cybersecurity has on these potential disruptions. According to a Gartner survey, 88% of boards view cybersecurity as a business risk rather than a technical IT problem.
Documenting all these possible consequences of a cyberattack by conducting a cyber risk assessment is an essential first step in managing your organizational risk. This exercise helps lay the groundwork for developing a broader business continuity plan. While it’s impossible to completely eliminate risks, creating and implementing a business continuity plan aims to mitigate the most significant consequences of a cyber incident. Conducting risk assessments and developing business continuity plans help ensure that a business continues operating, even if in a degraded fashion, in the wake of an incident, and also ensures everything returns to normal as quickly as possible.
Why cybersecurity is a company-wide issue
While it’s easy to assume that the CISO and the security team are primarily responsible for managing an organization’s cyber risk, the reality is that many organizational functions should be involved in this effort. Just like an electrician can’t possibly know the far-reaching impacts a power outage might have on your business, the CISO and security team cannot be expected to know every possible consequence of a cyber incident.
It is the CEO or business owner’s role to set the appropriate risk tolerance level for the organization. Then the entire organization—including board members, as well as members of the operations, finance, legal, communications, and marketing teams—must work together to assess, prioritize, and decide how to mitigate cyber risks.
Cyber risk management is ongoing, not a "one and done" activity. And even the most comprehensive and well-crafted cybersecurity risk management policies and processes are useless if they aren't adequately socialized and implemented across your organization.
The threat landscape is constantly evolving, and so is your organization. With every change that’s introduced—ranging from adding endpoints to ramping up a new business unit—a potential new risk is also added. As a result, it’s essential to regularly reassess those risks, understand the impacts they might have on your business, and then adjust your plans and policies accordingly. Make sure to communicate your risk management plans and procedures to all those who are involved, as managing organizational risk is everyone’s responsibility.
Learn more about our Public Sector Advisory Council (PSAC) members and how they’re helping Fortinet further guide public sector organizations through their evolving security challenges.