To overcome cyber hurdles, get holistic

1. Understand the risk

When it comes to risk management, organisations often grapple with whether to focus on a service-by-service approach or an organisational level perspective. As highlighted in the 2022 CRO Outlook Survey, both service-specific and organisational level perspectives are essential for effective risk management.

Organisational level

It’s crucial to view risks in the context of the wider organisation, its objectives, and the overarching enterprise architecture. This broader view helps to prioritise and allocate budgets effectively, comply with regulations, and identify areas of weakness. Being able to consider cyber risks as part of the aggregated risk perspective is invaluable for senior managers and board members who make strategic decisions and prioritise actions based on identified risks. However, challenges arise when trying to flow risks consistently from service to organisational level. This is especially true in organisations with decentralised management structures. To address this, some regulated industries are moving towards compliance-type models, allowing them to identify risks system-by-system and then aggregating them at various levels, including local business units and parent companies.

Service level

Assessing risks service- or system-specific risks provides a granular understanding of vulnerabilities and threats that might impact individual components of the organisation. For example, a web service might face unique cyber threats, necessitating tailored risk management strategies. By ensuring compliance with internal policies and external risk management frameworks such as ISO 27005, organisations can create and align risk appetite for specific business units. These tailored strategies seamlessly integrate into broader risk management approaches, supporting streamlined processes and comprehensive coverage.

2. Consider the context

Cyber risk plays a significant role in the broader risk landscape, but often faces unique challenges due to its dynamic and evolving nature. While the adoption of common methodologies and definitions is essential, it doesn't always happen seamlessly. The following steps can enable smooth adoption:

Cyber security as a business enabler

In the evolving landscape of digital operations, cybersecurity can serve as a strategic opportunity driving innovative ways of working and enhancing service delivery. It is imperative to articulate how cyber and digital opportunities specifically contribute to achieving key business objectives, can foster growth, and ensuring the resilience of critical business functions. This communication should be tailored to resonate with the business's language and tie in with the overarching strategic vision.

Integration with Enterprise Risk Management (ERM)

Cyber risk doesn’t exist in isolation; it’s part of the wider digital transformation and digital delivery of all organisations. The most effective cyber risk management supports business objectives and aligns with the organisation's overall risk management framework. Failing to do so could lead to missed interdependencies with other enterprise risks.

Taxonomy and reporting

Many organisations struggle to integrate cyber risk into existing risk taxonomies and reporting mechanisms. Integration and alignment of terminology and risk reporting practices ensure cyber risks are evaluated in the same context as other risks, such as financial and environmental. Translating cyber risk into its impact on key processes, outputs, investments, and customer delivery can provide a ‘common business currency’ to measure cyber risks alongside other risks.

The right focus

The key to managing cyber risk effectively is to prioritise the right actions, and understand how cyber threats drive business risk. This means aligning cyber security investments with the broader business strategy, as well as specific risk reduction objectives that positively impact business objectives.

3. Take it to the top

Reporting cyber risk at board level enables senior teams to be aware of, and take action on, cyber risks that affect the organisation's ability to deliver. It also highlights the importance of cyber safety, regulatory compliance, and reputation management to the wider organisation.

Articulating risks in business language

Cyber risk reporting is more effective when articulated in business language so that the board can clearly understand how cyber threats could impact the organisation's reputation, availability, confidentiality, integrity, and financial performance. Without this alignment, cyber risk might be viewed as a simple technical issue, and critical opportunities and interdependencies could be overlooked.

Meaningful and actionable decisions

It's important for the board to receive timely and comprehensive information about specific risks and their potential impacts on critical services, so they can make informed decisions and mitigate those risks. The reporting should be concise, focusing on how risks change over time, and how they could impact mission-critical areas.

Digital transformation, supported by good cyber security, is the route to sustainable future business and a huge opportunity. By taking approaching cyber risk management holistically, at organisation and service level, organisations can treat cyber risk as part of a risk management strategy and provide meaningful and actionable insights to the board. Doing so can help leaders better navigate the complex cyber landscape with greater resilience, ensuring the protection of critical services and assets, and support the delivery of wider business objectives. Cyber risk is not just a technical challenge; it's a strategic driver for businesses in the digital age.