Technology adoption has become so rapid that businesses struggle to keep operations secure. The biggest threat that has been identified by experts is not necessarily the technical or technological gaps in your cybersecurity, but rather, it has a lot more to do with your workforce. And with technology posing a higher risk than ever, what is the role of risk management in mitigating this, and how could they collaborate with CISOs in order to build a working cybersecurity framework?
There is no point arguing against the importance of cyber risk management. Antoine Bouveret, Economist in the Macro-Financial Unit in the Strategy, Policy & Review Department of the International Monetary Fund, wrote in a working paper that threat levels, vulnerabilities, and consequences of cyber-attacks are all considered high for financial institutions.
The Ponemon Institute and Accenture’s 2019 Cost of Cybercrime Study estimates that the annual cost of cybercrime as a result of an attack rose to US$ 13 million in 2018, a 12% increase from 2017. The consequences of an attack can include business disruption, information loss, revenue loss, and equipment damages, all of which severely impact a business’ operational resilience.
The human factor in cybersecurity
Technical cyber defence solutions like antivirus and malware software or network firewalls are an important aspect of a business’ cybersecurity plan. But to be cyber resilient, organisations must consider the human factor.
According to the Accenture study, humans are the weakest link in cyber-attacks. Verizon’s latest Data Breach Investigations Report found that 34% of breaches involved internal actors, with system administrator caused breaches rising over the years.
“System administrators are creeping up, and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of insiders is most often in the form of errors”, the Verizon report says.
“In a virtual ecosystem that increasingly includes Bring Your Own Device (BYOD) and the Internet of Things (IoT), traditional firewalls do not ensure protection, and even well-meaning employees can bring down an organisation as the lines between physical security and cybersecurity become increasingly blurred”, wrote Aileen Alexander and Jamey Cummings, Co-Leaders of Korn Ferry’s Cybersecurity Center of Expertise, in People and Strategy.
However, training and awareness of cyber issues within organisations have been proven positive.
“There is some cause for hope in regard to phishing”, the Verizon report says, “as click rates from the combined results of multiple security awareness vendors are going down”.
Phishing simulations is one of the ways information security teams can assess individuals’ and an organisation’s ability to fend off unwanted disruption. If done right, it can even be a useful tool to build your cyber security culture.
“We used to measure phishing simulations only by how many people failed”, Brian Byagaba, Senior Manager Information Security at Commercial Bank International, told us. “But we changed that to measure the speed at which someone reports a phishing email to us. That simple change has done a lot of wonders because we can now show staff that we’re measuring and rewarding good behaviour as opposed to punishing bad. Someone will inevitably click on something they shouldn’t, but the sooner we get to know of a malicious email, the sooner we can act.”
Understanding cybersecurity management
“Cybersecurity is an issue that crosses all organisational silos and boundaries, top to bottom, encompassing people, culture, and risk management and must bridge security, technology, privacy and compliance”, according to Alexander and Cummings.
It seems that enterprises struggle with this though. Byagaba told us: “Before I joined, information security was this ‘black box’ that was not well understood. Very few attempted to consider it, unless it was absolutely necessary. Additionally, there was an opaque shroud on the team, and this seems to have been the case in other banks too, based on the conversations I had with peers.”
In the last 5 years, Chief Information Security Officers (CISOs) have become the centre of cybersecurity management, with various sectors developing different strategies to build enterprises’ cyber defence. Traditionally, CISOs reported to Chief Information Officers (CIOs), but today, experts recognise this practice as a risky one.
“A CISO-CIO reporting relationship could potentially make the enterprise less secure”, said Melissa Hathaway, private sector expert and former cybersecurity “czar” under Presidents George W. Bush and Barack Obama. “The CISO is responsible for keeping the enterprise safe and the CIO is responsible for keeping the enterprise running 24/7, so there can be an inherent conflict.”
Instead, Hathaway recommends that cybersecurity management should involve various C-suites.
McKinsey’s global team even suggests that CROs’ skillsets are key to understanding cyber threats. Alexander and Cummings describe a competent CISO as someone who possesses “the ability to think outside the box, dig deeply into issues, exercise seasoned business judgement, exert influence at the board and C-suite levels, and be a credible business partner”. Many of these characteristics apply to CROs, and with CISOs having a strong technical background, this collaboration could be crucial in successfully managing cybersecurity and in building an organisational cyber culture.
A new risk framework for cyber
But as with many collaborations, the devil is in the detail. According to the McKinsey team, risk management’s 1st / 2nd / 3rd lines-of-defence concept, which was developed to ensure regulatory compliance, is not the most suitable for cyber risk management.
“For cyber risk, the lines-of-defence concept can be seen in the roles of the cybersecurity function as the first line of defence and the risk function as the second. That is, the cybersecurity function, usually as an integral part of IT, initiates the risk-mitigating interventions that protect against, detect, and respond to threats generated in business and IT operations. As the second line of defence, the risk function works with the first line to identify and prioritise cyber risks”, the McKinsey team illustrate, but they also note that “in practice, some blurring of these boundaries occurs”.
CBI’s Byagaba agrees that the lines aren’t as well defined as with other more mature risks. However, in his case, Byagaba’s info sec team is not the 1st line of defence.
“We are at the 1.5 line”, Byagaba said. “But we’re also the 2nd line of defence because we’re independent of the operational business activities and I report functionally to the CRO.”
The 2nd line of defence is the risk function, which defines policies to ensure the organisation is within their risk appetite. At this point, the info sec team is involved in order to help identify particular risks and challenges. But as the 1st line of defence, they liaise with the relevant technical teams within IT to build the systems and procedures that ensure compliance with the risk function’s policies.
“The risk function, in defining the policy, will tell you that when you see a red traffic light you need to stop. But how you stop is up to you”, Byagaba illustrated. “If we were talking about credit risk, for example, this process of deciding how to stop would be relatively simpler. With information security and cyber however this is more complicated; problems don’t have precedents, solutions are often new to market, and all this is happening in an environment where bad actors are actively exploiting these security gaps.”
In Byagaba’s case, the 3rd line of defence role falls onto the internal audit team. But as PwC’s 2019 State of the Internal Audit Profession Study found, internal audit functions lag behind risk management and compliance peers. Byagaba explained that this comes as no surprise, adding that upskilling the 3rd line and exposing them to new approaches and technical solutions is equally important to align and strengthen the risk framework.
Although there is no universal way to manage cyber risks in any industry, a functioning framework is in development. With the right set of skilled people, it is possible to build a strong, resilient cyber culture to include all members of the enterprise – start the ball rolling now!
