There is Nothing Linear About Cyber Security
Each organization is unique and at a different place in its digital journey. It’s impossible to completely eradicate cyber risk or the potential consequential damage to reputation resulting from a cyber incident. The risk is pervasive. But resilience is possible for organizations that contemplate a circular approach to managing cyber risk, which we term the Cyber Loop.
This approach acknowledges that each organization will start its cyber security journey from one of the four entry points outlined below.
Entry Point: Assessment
During an assessment, large amounts of data and insight are collected and analyzed within the ecosystem of the Cyber Loop.
Critical assets, systems and operations are identified. Policies and procedures are evaluated. User behavior is confirmed. Vulnerabilities are diagnosed and prioritized, cyber security controls are benchmarked against specific threats and governance and response readiness are assessed. Through an assessment, remediation is essentially verified.
Armed with this insight, leaders can make sound decisions and strategically manage the organization’s cyber risk through a combination of four paths: avoid the risk, mitigate the risk, accept the risk or transfer the risk.
Entry Point: Quantification
Quantification of cyber risk is critical. It uses financial modeling to help companies make smart, data-driven choices on cyber security risk management with the goal of helping safeguard the balance sheet and optimizing total cost of risk.
By quantifying cyber risk, balance sheet impact is more clearly defined, and companies can more deliberately invest in information security, business continuity programs, risk transfer strategies and cyber insurance.
Should a cyber incident occur, having a quantifiable model demonstrates to key regulators and stakeholders that a thoughtful approach was undertaken, and reasonable efforts were made to protect stakeholders: financial, customers, community and suppliers.
Entry Point: Insurance
Cyber risk goes well beyond a data breach. A significant incident can result in business interruption, impact to the supply chain and even physical injury. The climate is becoming increasingly regulated and punitive, yet cyber risk is still underappreciated as an insurable risk.
If approached from a holistic, enterprise view, the cyber insurance and risk transfer process can serve as the bowtie to pull key stakeholders together.
Once engaged in this phase of cyber resilience preparation, companies will find more than one way to transfer and manage quantified cyber risk. Perhaps it does make sense to transfer a portion to the cyber insurance market, but maybe an alternative risk retention, or self-insurance financing strategy, is warranted.
Entry Point: Incident Response Readiness (IR)
Entering the Cyber Loop at incident response readiness (IR) can be proactive, for example developing a response plan and conducting tabletop exercises in preparation for a likely attack; or reactive, when faced with an urgent need to find, contain and mitigate an incident.
For an organization that has been managing cyber risk with a circular strategy, significant value is unlocked during incident response readiness.
Those that have completed assessment work will be familiar with the environment from a network topography standpoint and will know the location and type of critical data. There will be an understanding of policy, procedure and people. Armed with this knowledge, responders can more quickly develop a picture of what is going on, and how to shut down the compromise.
Incident response is also bolstered through preparation. Preparation can be the difference between a company that is ravaged by an attack, and one that finds it a disruption.
Evolution Demands Revolution: Realizing the Full Potential of the Cyber Loop
The Cyber Loop calls for companies to actively participate in managing cyber risk in a greater cyber security data ecosystem. Assessment, quantification, insurance and incident response readiness are four distinct yet interconnected entry points for managing the risk. Download our white paper below to learn more.