How Thinking Outside Silos Helps Risk Management and Cyber Threat Response
- Cyber Breach
- 3 Mins
The term “risk” gets tossed around constantly in the corporate world. But who is responsible for defining and managing risk? This answer is not black and white, as risk type and appetite will look different for every organization. What should be a universal practice is ensuring that all departments understand the enterprise’s risk types.
Keeping risk conversations and processes within silos can be dangerous and result in noncompliance. This is particularly important with cybersecurity, as threat actors can penetrate any part of the business. With new attack methods emerging and trends changing frequently, all departments must be aware of what cyber risk the organization has assumed and their respective roles in managing such risk. This requires an effort not to silo risk and have everyone work together to achieve compliance with established frameworks and regulatory constraints.
Interplay Between Risk Appetite and Compliance
Risk can come in many different forms such as reputation, cybersecurity, privacy, financial, legal, personnel, and operations. Compliance risk intertwines with all of these categories. For example, failure to protect sensitive consumer information can result in violation of a privacy regulation or lead to a data breach placing liability on the organization. While each team will be the main actors in defining and managing their own risks, a collaborative approach will help organizations maintain a successful and mature risk management program. Each executive has different perspectives that help reach a balance while still advancing business goals.
Risk appetite refers to what risk level the organization is comfortable undertaking. This can vary depending on the type, company culture, and changing business goals. Factors that can influence decisions on cyber risk appetite include, trending attack methods, type of data the organization collects and stores, industry, geographical location, and the C-Suite’s risk tolerance. Even with mature security controls, cyberattacks can happen. When an incident occurs within risk appetite, it is easier to respond as the organization has already accepted it as a possibility and will have incident response protocols in place. This makes it extremely important for the CISO to work with the C-suite and legal to determine the organization’s risk tolerance and communicate this across the enterprise.
Importance of Monitoring Cyber Trends
When it comes to cybersecurity, risk appetite and management efforts can change frequently as new threats emerge. This is an area where breaking the silo mentality is extremely important, as everyone in the enterprise handles data and therefore has responsibility to protect it. Staying on top of new attack methods, competitor compromises, and other cyber data is crucial to receive a real-time view of risk. For example, the Identity Theft Resource Center’s “First Half 2022 Data Breach Analysis” report deemed cyberattacks as the most prevalent threat vector ahead of system errors, human mistakes, physical attacks, and supply chain breaks. The top trending cyberattacks are currently phishing, ransomware, and malware. Keeping up to date with periodic reports and comparing trends from year to year or even quarter to quarter can feed into cybersecurity risk strategy.
Understanding the most prevalent risks is important to detect where vulnerabilities exist and the likelihood a certain threat could materialize for a particular organization. This will influence decisions about cyber risk appetite, incident response plans, and necessary controls. There is no way to guarantee that everyone is operating within the organization’s defined risk tolerance without enhanced transparency and collaboration with other departments, including legal. Periodic assessments and enterprise-wide communication on changing protocols relating to cyber risk is a crucial component of risk management efforts. When preparing such assessments, do not forget to account for compliance requirements as what the organization takes on will need to fall within applicable regulatory, client, and internal obligations. While this can be a lot to process, using risk as a way to talk across the silos will help each unit understand what is tolerated and applicable responsibilities to stay compliant.
When – not if – a cyber incident occurs, compliance with response protocols is not the only thing that comes into play. Other obligations apply relating to breach notification, privacy regulations, privilege, contracts, and more. It is crucial to have processes in place to maintain compliance and mitigate an incident. Everyone needs to receive training and direction on any cyber controls and electronic preferences the organization has decided fit within their comfort level. Risk management gaps generally stem from lack of communication – whether it be the absence of a comprehensive global framework or unbroken silos.
To mitigate risk and ensure everyone is operating within the appropriate risk parameters, look for tools and systems that work across the organization as opposed to one specific unit. This can include software that can automatically detects compliance violations, automated information governance tools, secure data sharing applications, and more. Legal and other key actors should have a seat at the table for discussions with the cyber team to discuss how cyber threats match up with risk tolerance and which tools can create a compliant work environment. This should happen yearly, at minimum, to maintain an effective risk management program.
To learn more about this topic, please listen to our cyberside chats podcast.