For any organization, having a thorough understanding of the risks it faces is fundamental, and executing a sound risk assessment is critical. Because of the ubiquitous threat of cyber attack, boards must inquire about cyber risk assessments. Specifically, the board should ask several questions: In the past two years, has the organization conducted an assessment that identifies cyber risks related to people, processes and technology for all the business units, regions and groups? Have those risks been ranked based on impact should they occur and likelihood of them occurring as either inherent or residual risks?
If so, who conducted the assessment — the chief information security officer (CISO), the CAE, a third party engaged by IT? Did the assessment follow external guidance such as NIST SP 800-37 and CSF v1.1, COBIT 2019 or ISO 31000? Is the CISO conducting periodic vulnerability scans and penetration tests and working with IT to resolve identified issues timely? If all of this has been done, how often are the assessments performed?
When answers to these questions add up to a collective “yes,” board members can begin to confidently say they understand the cyber resiliency of their organization. However, data suggests most organizations still struggle with cybersecurity. Results from the EY 2020 GISS report show 59% of organizations around the globe experienced a significant or material breach in the past 12 months.
Additionally, one of the key findings in the IIA 2021 OnRisk report highlights critical knowledge deficits related to cybersecurity, data and new technology. Together, these data points suggest for most companies the collective answer to these questions is “no,” and if the answer is “yes,” too much time has gone by for the data to be useful to adequately protect the organization.
Why is the assessment question so important? Having this level of insight — a tailored and up-to-date understanding of the complete cyber risk profile of people, processes and technology — is the first step in understanding and managing the organization’s cyber risk. Without it, efforts can be ad hoc and incomplete often only recognizing risk in more obvious forms.
EY professionals see this consistently while working with their clients around the globe, especially in industries where operational, health or environmental risks are present. These companies, mistakenly, often view cyber risks as secondary. It seems simple to assess and document cyber risk. However, cost often is brought up as prohibitive, especially when it comes to the more technical assessments such as penetration testing.
Cybersecurity typically is viewed as technical IT risks that require expensive specialized resources. While this is true in some cases, it is not in many others. Cybersecurity is as much business and process oriented as it is IT, and a simple cyber program or enterprise IT risk assessment is an ideal place to start the cyber risk management process.
Further, leading-class organizations are now embracing an ongoing risk assessment mindset. These assessments are considerably cheaper and more effective if performed by either internal audit or service firms and provide direction as to where more technical scanning or testing needs to be focused when finances permit.
So, after reading details on the first of the risky six, ask yourself: Does your company have this level of time-relevant granularity and understanding on how it goes about managing cyber risk? If not, this is the perfect place to start. Pick one of the better-known frameworks mentioned above, assess your organization and prioritize the risks.