CXOWARE is now RiskLens | Learn More

Cyber Risk Management

The Emergence of Cyber Risk Management

Cyber Risk Management is the next evolution in enterprise technology risk and security for organizations that increasingly rely on digital processes to run their business.

Several trends are leading the development of this new business discipline: 

  • Continued Losses: Organizations are increasingly reliant on digital processes to run their business and despite their security investments, continue to suffer major service failures and liability-related losses due to cyber attacks.
  • Minimum Security: Current security processes and technologies mostly address compliance requirements, which are critical in defining minimum security standards, but are not sufficient to protect organizations from ever-evolving cyber threats. Compliance-focused security also tends to be highly inefficient, which can waste resources and limit the organization's ability to focus on the most critical exposures.
  • Growing Interdependencies: Operational technology, IT, the Internet of Things and physical security technologies have growing interdependencies that require a risk-based approach to governance and management. 
  • Executive Needs: Boards of directors and executive management teams now must understand the cyber risk posture of their businesses and the business underpinnings of risk mitigation initiatives.
  • Incongruous Approaches: Most organizations are not equipped for a risk-based approach to cybersecurity governance and management, as they do not have common methods in place to quantify and manage cyber business risk across the various stakeholders (board, executives, operations, IT).

"By 2020, 60 percent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases."

Paul Proctor, the Gartner Group

A Business Issue

Wall Street Journal - Top CIO Priorities

Our collective experience engaging with organizations that have been at the forefront of managing cyber risk reveals the following: 

  • A Business Issue: Cyber risk has become a business issue, not just a technology issue. Industry leaders are finding that cyber risk governance needs to be owned by the C-suite rather than by IT. 
  • Quantification of Cyber Risk: The FAIR framework defines a foundation for managing cyber risk across various business functions (line-of-business, IT, security) by providing a means to quantify the business impact of cyber risk.
  • Business-Defined Risk Balance: Cyber Risk Management enables business executives and their organizations to understand the cyber risk profile of their digital operations from a business perspective and equips them with knowledge and a decision-making framework that allows them to balance the need to protect their organization with the need to run their business. 
  • Cyber Resiliency: The ultimate objective of cyber risk management is to build cyber resiliency, where an organization’s systems and operations are designed to prevent and detect cyber threats, and respond to events to minimize business disruption and financial losses.
  • Chief Information Risk Officer (CIRO): The role of a CIRO has emerged as a leader and manager of Cyber Risk Management programs. CIROs will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing cyber risk. Many business-minded CISOs are getting a seat at the business table by transitioning into CIRO roles. In forward-thinking organizations, CIROs are increasingly reporting to CROs or COOs on the business side of the organization, versus reporting to CIOs in IT. 

Quantification: the Core of Effective Cyber Risk Management

The FAIR framework defines the necessary building blocks for implementing effective cyber risk management programs. The quantification of cyber risk is at the core of developing effective cyber risk management programs. After all, "You cannot manage what you don't measure."


Managing Risk Explicitly in Order to be Effective

Your organization already manages risk. The question is whether it is doing it implicitly or explicitly. A risk management program needs to be explicit to be effective. 

  • In an implicit approach to cyber risk management, an organization might have aligned its cybersecurity policies with a framework like NIST CSF, and it might have a NIST CSF-based enterprise risk assessment performed annually. The cybersecurity staff probably prioritize and work hard to address the findings from that assessment. Where the organization ends up risk-wise is a by-product of these efforts. 
  • There is little control of the outcome from a residual loss exposure perspective as it isn't clearly defined, and the measurements are only loosely associated with risk. In order to be explicit, there would need to be a specific and quantified risk target that is actively being managed to. 
Defining Risk Management

Defining Risk Management

FAIR defines risk management as 'the combination of personnel, policies, processes, and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure. A closer look at this definition reveals key take-aways: 

  • Cost Effectively: The responsibility of mature risk professionals is not simply to help their organizations to manage risk, but to manage it cost-effectively. Organizations compete on many levels, and if an organization is able to manage risk more cost-effectively than its competition, then it wins on that level. 
  • Achieving and Maintaining: Achieving an objective suggests that an objective exists. Maintaining a risk objective over time requires the ability to quantify and compare. 
  • An Acceptable Level of Loss Exposure: Adopting a risk assessment framework, predefined checklists and set of common practices is a form of implicit risk management and will not enable you to achieve a defined acceptable level of risk. Explicitly managing risk requires that one or more quantitative risk-based objectives exist.



Building the Right Foundation for Effective Risk Management

The foundation required to achieve and maintain effective risk management is comprised of five elements. 

  • Cost-effective risk management: a program that meets the definition of risk management listed above.
  • Well-informed decisions: every decision involves a choice, and in order for those to be well-informed... 
  • Effective comparisons: ...a decision-maker has to be able to compare the options before him/her.
  • Meaningful measurements: quantitative measurements in financial terms that all stakeholders can understand.
  • Accurate models: accurate models of risk and of explicit risk management that can scale in real-life.

The open FAIR methodology was conceived as a way to provide meaningful measurements so that it could satisfy management's desire to make effective comparisons and well-informed decisions. FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.



Effective Risk Management

Implementing an Effective Risk Management System

FAIR tells us that an effective risk management system is comprised of the following elements: 

  • Risk: a function of the threats, assets, controls and impact factors (e.g., laws, etc.) that drive loss exposure.
  • Risk Management: comprised of decisions and execution. Those decisions are related to the risk governance that the organization decides to implement. What an organization actually gets in terms of risk is a function of execution within the context of those decisions. 
  • Feedback Loop: feedback about the conditions of asset-level controls, metrics related to threat intelligence and losses, metrics regarding conditions that affect execution (e.g., awareness, capabilities) and root-cause analysis data. 

RiskLens was built from the ground up on the FAIR methodology to quantify cyber risk and create the foundation for truly effective cyber risk management programs.