Right Strategy for Effective Cybersecurity
Why are recent technology developments and transformations impacting your business environment?
We have become over dependent on cybersecurity tools to mitigate risk instead of making risk based decisions. Over the last couple of decades, organizations have been implementing technologies that have either automated a manual process, enhanced decision making abilities with more precise data, or provided some technological advantage over competitors. A few technologies have changed the way in which we work, and in many cases where we work; such as virtual computing, cloud services, big data, and now products being placed in the Internet of Things (IoT). Many of these new technologies have not only driven the total cost of operations down, but have also created process complexities, and many of these types of technologies have only transferred and increased costs to other areas, particularly the risk management areas. These technology changes to address new business objectives and transformation initiatives have not only increased cyber risks to the organization, but they have also provided many with a false sense of security. Without a mature cyber risk program providing executive management with strategic decisions making abilities, an organization effectively begins to expose and erode their capital through unforeseen events and poor purchases.
For organizations beginning to have conversations at the Board of Directors level about cyber risks and their impacts to the organization are better off than the majority who have not; More than one CEO has said that cyber is the new credit risk, and it is the single risk that could wipe out an organization’s capital and reserves. However, while Boards are getting up to speed understanding the jargon, the tools and techniques being used to lessen the risk, there is still a wide gap between what needs to be presented to Executive Management to what is currently being offered. Technology alone cannot solve cyber risk issues; it can only be resolved by first understanding what are the objectives of business, then by working with technology departments to understand the deployment strategy in meeting those objectives, coordinating with your compliance, regulatory, and privacy departments. This eventually leads to the creation of a mature cyber risk program.
A well designed cybersecurity and risk program must be driven from the organization’s cyber risk appetite
A well designed cybersecurity and risk program must be driven from the organization’s cyber risk appetite. However, this is where the hard work will originate where organizations try to quantify and qualify the value of assets and which of those assist in generating revenue. Completing the valuation of an asset helps in understanding of the assets’ deprived value or loss of revenue generation. Through this, organizations can make better decisions pertaining to capital expenditures and reserves for cyber risks. This allocation of reserves may come in handy when a cyber interruption precludes your organization from making claims on your cyber insurance. These conversations are what the Heads of Information Security should have with Executive Management and Directors. However, we continue to see and hear about operational metrics being provided that have no value for decision making and convolutes the process. Additionally, many of the conversations are still about tool purchases, not about how or why they mitigate risks, and as the cybersecurity market indicates, it will approach $122 billion by the year 2021. That is a ton of products that CXOs will need to evaluate and review to approximate best choices.
The market data fails to highlight the noise regarding tools and products. We should return our attention back to the foundational elements and capabilities of our cybersecurity and cyber risk-programs. Failing to realize the maturity of capabilities and foundational elements of these programs, the purchasing of tools may first appear to solve cyber risks, but when they are implemented they actually increase the resource burden to the company. For example, if the organization purchases a tool to identify incoming malware, but their cyber risk appetite is set on the exfiltration of information or the lateral movement of malware, they have essentially made an incorrect decision on where resources and capital should have been allocated. Additionally, many of these tools are also designed in such a way that they may have a dedicated interface that is unable to interact with current processes or the technology environment. This increases the number of full-time employees with too specific skill sets to maintain or it may also result in additional changes to the technology architecture.
Each organization must start with the understanding that they offer unique portfolios and therefore, will have different levels of cyber risk maturity compared to their industry competitors. By attempting to solve market FEAR (false evidence appearing real) they will ultimately continue to fail in meeting regulatory, industry, and their own cyber risk appetites.
The A&M approach
In partnership with Alvarez & Marsal (A&M), executive leadership can begin to decipher the black box of cybersecurity and confidently make better informed cybersecurity decisions through sound risk management principles. A&M brings a deep operational heritage and hands-on approach to delivering cybersecurity solutions that create sustainable, operational, regulatory and financial results. Our teams of senior professionals are uniquely qualified with regulatory and industry experience to address the demands of organizations and to manage cyber and operational risks in a comprehensive manner.
A&M’s approach focuses on providing foundational solutions that mitigate risk and ensure appropriate levels of capital reserves while maximizing operational effectiveness.