Why your attention should be on cyber-risk, not just cyber-security
Cyber-security is a huge buzz word right now. Businesses are worried about it; people are worried about it; and vendors are trying to sell you cyber-protection solutions. Attending a cyber-security webinar or seminar is also not for the faint at heart…even myself, an IT specialist in the CPA profession, often leaves those events scared to put any of my personal data anywhere online. Yet in today’s interconnected world, we don’t really have a choice anymore. And that’s why you need to pay attention to cyber-risk management, not just cyber-security.
What’s the difference? Cyber-security draws its roots from information security (InfoSec) and is primarily focused on confidentiality, availability, and data integrity (see Figure 1 - Infosec Triangle, Source: ISACA). Confidentiality and privacy are what people are usually worried about when they think about cyber-risks—whether information they want to keep secret is protected from unauthorized disclosure or a data breach. Ransomware attacks have also brought availability to top of mind—that systems are available when they need to be used. Previously the Distributed Denial of Service (DDOS) attacks that brought down many websites, and even Amazon and eBay in 2008, was the prime example of an availability threat. And last, but not least, data integrity is focused on ensuring that data is not destroyed, corrupted, or lost, and that it can be recovered if such an adverse event were to occur. Because many of the threats and preventative measures in these areas are technology-based, cyber-security tends to be primarily technical/automated controls focused with some attention to the accompanying administrative and monitoring controls.
Cyber-risk management involves a much more comprehensive and holistic approach than cyber-security. Drawing from overall corporate governance and risk management disciplines, cyber-risk management takes a much broader approach and requires a much broader skillset to perform effectively. Figure 2 shows the relationship between IT governance, IT risk management (synonymous with cyber-risk management), and the “IT Department”. We have the IT department in quotes, recognizing that in smaller organizations that this is probably an IT service provider rather than a unit internal to the organization.
Figure 2 – IT-related Functions in Perspective (Source: IntrapriseTechKnowlogies LLC, 2017)
As you can see from the diagram, IT governance and IT risk management actually sit outside of the IT Department. This is because to be performed effectively these functions require integration with the business strategy, compliance management, and overall organization operations. IT governance is a part of corporate governance and helps to ensure alignment of the IT strategy (which may include cyber-security projects and information security infrastructure) with the overall business strategy.
IT risk management is driven by IT governance and compliance requirements, and it interacts with the IT Department—ensuring that the appropriate controls are built into new systems and that controls are operating effectively in the IT infrastructure. IT risk management is also a part of enterprise risk management (ERM), which looks at an organization’s overall control environment and the interrelation of all elements for good enterprise internal controls. This also ties into an organization’s risk appetite—or how much risk it is willing to undertake to achieve its business objectives; compared to information security, which is often focused on minimizing risk. IT risk management, also looks not just at technical/automated controls, but also compensating controls and monitoring controls, and compares all of these to the inherent risk and the impact of possible negative outcomes should the risk materialize.
It is important to include business strategy and IT value (via IT Governance), and enterprise risk and compliance (via IT Risk Management), considerations because the evaluation of these areas is often unique to each organization and they are often drivers of competitive advantage. Part of the objectives of IT governance and IT risk management are to ensure that cyber-security directives and initiatives are in accord with the organization’s overall risk posture, desired return on investment, and position in its industry.
Lastly, IT risk management also looks at the adequacy of incident response from both administrative and technical perspectives. This is particularly important for privacy breaches where much of the required response is driven by administrative processes (e.g. notification to affected parties, working with authorities, and providing support for those affected) in additional to technical remediation.
The AICPA’s recently published Cyber-security risk management framework affirms this by incorporating both terms into its name, and stating that its purpose is to enable an organization to “communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs”. Note that it doesn’t say “to ensure the security of it systems and networks”.
As you can see, it’s important to ensure that you have a comprehensive cyber-risk management function in place, and not just focus on cyber-security measures. Be sure that you are looking beyond just your IT department and cyber-security, and aligning your IT governance and IT risk management with your overall business strategy. The security and resilience of your systems and network is a foundational aspect for continued success, but it's really cyber-risk management that balances cyber-security with driving competitive advantage through innovation and embracing emerging technologies.