Genuinely effective Cyber Risk Management - where security risks are consistently identified, communicated and prioritised - has continually proven to be one of cybersecurity’s toughest challenges.
There’s no shortage of frameworks and methodologies aimed at structuring and streamlining risk practices.
And no shortage of benefits in having a capable risk management process; when achieved effectively, organisations can be confident they are minimising the critical flaws and vulnerabilities that can expose them to cyber attacks - while also maintaining regulatory compliance.
Yet organisations persistently flounder in their attempts - both to create a comprehensive and reliable risk picture in the first place - and then to accurately identify and prirotize that risk in the face of competing priorities.
It’s imperative - amid today’s precarious threat landscape and economic climate - that security teams can demonstrate prudence and reasonable due diligence to the board. And to do this, organisations need a full understanding on the state of their cybersecurity controls - so they can make data-driven assessments on the level of risk they face.
But speak to any assembled group of security practitioners and it quickly becomes apparent that current approaches to assess and monitor controls are no longer fit for purpose.
“I’ve often struggled to take the state of the current controls, to efficiently and routinely assess them, feed them into some risk assessment process, build a risk inventory at the right level of proportionality - and then say, well, what does that actually all mean,” says Simon Riggs, Interim CISO and Board Advisor, Coeus Risk Management.
We spoke to other UK security leaders of global companies - and found that struggles with cyber risk management are widespread.
“We have real difficulty in measuring controls across the business. At the moment it’s quite a struggle to get any consistent and unified approach.” - UK-based Security Leader
“Assessing third parties is a continual nightmare. We’ve learned that everybody either lies or paints a rosier picture when you ask them qualitative questions.” - UK-based Security Leader
A lack of control monitoring tools, together with differences in how objectives are measured, means control measuring inefficiencies and inaccuracies bed in, ricochet around departments, and result in misleading information for the risk decision making.
And when it comes to assessing third parties, security teams frequently tell of the struggle to get any meaningful insight on control states from subjective questionnaires.
Yet third parties represent a monumental risk if they are not adequately controlled - especially as suppliers have become ever more important for core business functions. Manual and subjective assessment is just not good enough for today’s high-stakes threat environment.
A lack of tools to assess control effectiveness
“My biggest problem is that I don’t have ways to validate and monitor controls - we usually do that manually. It’s a point in time exercise.” - UK-based Security Leader
Without the tools to continually monitor control effectiveness, risk and control gaps can go unchecked, potentially leading to blind spots. Security value diminishes as it’s harder to understand the real impact and urgency of risks inside the organisation.
“I’ve tried everything to help the board understand security risk - I’ve used fish in the tank, Lego - everything. And I’m happy to have auditors - because I can say to the board ‘it’s come up by auditors’ and they will trust them, more than they trust me even though I know my system inside out.” - UK-based Security Leader
“To have a capability to be more data-driven - to be able to go back to the board and say: ‘here's what I've been able to do in terms of taking the most amount of risk off the table, as quickly as possible’ - and to be able to demonstrate that, is something I have prayed for.” - Simon Riggs, Coeus Risk Management
The continued practice of risk managers communicating to the board through qualitative reports that lack business context both alienates the board and degrades trust.
Security leaders and risk managers - with far greater knowledge of their organisation’s systems and risks - are forced to rely on auditors’ reports to raise issues, which can leave control gaps.
Risk managers lack the necessary tools to create multiple risk treatment options and ‘what if’ scenarios -meaning significant time is spent on recommending control improvement plans that rely on manual subject matter expertise.
The clear need for automation in Cyber Risk Management
As regulators prepare to mandate an audit trail of evidences for cyber risk management, businesses are in desperate need for tools equipped with intelligent automation to improve the speed, accuracy and confidence of organisational risk decision-making.
Only then can risks be properly prioritised, based on their potential financial impact and likelihood.
“It’s clear that the current cyber risk management process is burdened with inefficiency and manual intervention, relying on outdated methods and subjectivity in decision-making,” says Anil Gandhave, President and Co-CEO of risk automation pioneers Alfahive.
“It requires transforming urgently. At Alfahive, we are driven to solve this problem by automating the cyber risk management process.”