Customers, investors, and regulators all want assurances that boards understand the risks and are doing the utmost to ensure institutions are managing them. But cyber threat is increasing by the day. All you have to do is pick up a paper and you see the impact. It is a moving target that can only get worse
Each new cyber hack victim has a story that makes the need for cyber risk management more urgent. DataSecure strongly recommends that organizations hoping to maintain operational resilience during disruption should implement risk management. Unfortunately, that comes with many unknowns: Which risk management framework to use? Is risk management expensive? What's the return on investment? We, at DataSecure are experts with more than 80 years senior management experience in IT Risk Governance & Management. DataSecure will guide your organization out of this decision paralysis by introducing the three pillars of an enterprise risk program.
PREREQISITE: DataSecure will assist you determine the maturity of your existing risk program
Various capability maturity models measure enterprise risk management, such as the model used by the Risk Management Society (RIMs). Organizations with more mature risk management might adhere to ISO, COSO, NIST, or another standard risk management framework. Less mature programs can still improve C-suite decision making simply by having a common lexicon, understanding, and appreciation of risk management. Organizations with very low risk management maturity might not know where to begin. This is where DataSecure come in to assist with understanding your maturity level and the next phase.
The 3 Pillars of Enterprise Cyber Risk Management
A governance structure is the first pillar of any risk management program. It provides an enterprise with a body of experts and decision makers on the potential impacts and actions associated with risk decisions. A general model may include periodic meetings of a C-suite risk committee, informed by mid-level managers in subcommittees. Ideally, the subcommittees should offer risk committee executives options that balance resource demands.
Every organization must know how much risk it can tolerate. A documented risk appetite statement lists categorized risk tolerance ranges that align with the organization's strategic objectives. The risk appetite statement helps the organization confidently employ its strategy with explicit direction on how much risk can be taken.
With adequate risk governance and documented appetite, organizations can begin to weave risk management practices into their culture. Executives must communicate expectations to the organization through their management teams, usually through policy and procedure and potentially as part of a global policy structure.
Foundation for Resilience
The three pillars of robust risk management support an organization's operational resilience, or the ability to accomplish the organization's mission during disruption. Ultimately, organizations must treat risks as having their own life cycles that span the enterprise's desire to accomplish strategic goals. Even if your enterprise navigates the turbulent storm of cyber threats by luck alone, preparing for disruption builds a culture of mission focus. To maintain that focus in the midst of bigger and more frequent cyber-attacks, robust risk management and operational resilience are more important than ever.
The Four Pillars of Comprehensive Layered Security
Your first inclination might be to think in terms of technical components. However, providing security services to clients goes well beyond the individual components you choose. Instead, think in terms of “what” you’re trying to do, rather than “how” you’re trying to do it.
For example, instead of thinking about what antivirus to use, consider it within the broader context of your threat detection capabilities. Doing so allows you to systematically build defenses for any business.
DataSecure uses the following four pillars to develop your layered security program:
The 3 Pillars of Enterprise Cyber Risk Management
Your first line of defense involves monitoring both electronic devices and the physical security of corporate offices. This first layer can show early warning signs of cyberthreats, helping you stop attacks before they get off the ground. In fact, some of the defenses in the other pillars would be impossible without this foundational layer.
This next pillar includes many of the tools and techniques thought of as traditional security mechanisms—like antivirus, patch management, web protection and email protection. They’re not enough to cover all problems, but they can deal with quite a few. Just patch management alone would have prevented several major ransomware attacks like WannaCry and Petya.
Any defense strategy requires the ability to quickly recover after a disaster. The first two pillars can prevent a lot of attacks, but they’re not bulletproof. By having good backup solutions to restore systems quickly, two-factor authentication for account recovery, and strong encryption to prevent unauthorized access to intellectual property, you can provide your clients with a kind of insurance policy against data theft and downtime
The final layer involves advanced security tactics and active management. Many businesses require a more in-depth approach than the first three pillars can provide. This step involves penetration testing, security incident and event management (SIEM) systems, and security operation centers. This pillar provides the highest level of protection for businesses. DataSecure starts with this discovery phase before we start implementing the practices and technology of the model, as this allows us to assess the security posture and maturity level for each client.