The Fundamentals of Cyber Risk Management
Cyber risk is an ever-evolving field, growing at the same pace as the most bleeding-edge technology products and paradigms. To keep up with current and future-reaching risks means understanding the history of cyber-threats, applying current best practices, and being aware of what the near future might hold.
Today we take a look at the fundamentals of cyber risk management as they stand in 2019, with a focus on what the field looks like now, along with a dose of how AI is advancing the field.
The 3 pillars of cyber risk: People, Processes, Technology
The fundamental foundations of cyber risk management are the three pillars of risk – People, Processes and Technology – as well as their interconnections. For a comprehensive overview, you can take a look at these in detail in ICASA’s Business Model for Information Security.
Strengthening of cybersecurity practices involves:
People: Training of all staff in cybersecurity best practices, ensuring your cyber-team is experienced and effective in their roles, ensuring adequate staffing levels of your cyber-team, building a culture of organisation-wise awareness.
Processes: An emphasis on removing manual processes that can lead to mistakes in cybersecurity practices, introducing workflows across cybersecurity tools to free up data from silos, creating use-case playbooks for incident response.
Technology: A combination of best-in-breed security tools, tiered alert and ticketing systems, custom codified security rules, and a security orchestration platform for a holistic view of the system.
While many organisations spend plenty of time and money investing in the technology part of the equation, this is generally a misguided practice.
Focus on people
As Yi Fang Chua, Senior Manager, Advisory (FSO Cyber Security) at EY wisely notes, “People are the weakest link of an organisation in the People, Process, Technology triad. Advanced technology and security practices, regardless, will always be constrained by the human factor.”
This requires a new operating model to “to bridge silos and collaboratively design controls, training, communications to drive effective risk culture.”
She encourages organisations to “create a culture of curiosity, encouraging a risk aware, innovative and pre-emptive defence mentality to enable an agile response (vs. reaction) to new and evolving tactics from the adversaries.”
Asset and network discovery and risk
To identify cyber risks is first to define what you’re protecting and where you need protection on your networks.
Harshit Mistry, Manager, Cyber Security at EY outlines the basic process involved.
“Organisations should invest in identifying and updating their crown jewels (using parameters like whether the assets are internet exposed, hosted on cloud, managed by third party etc.) and associated threats at regular intervals.”
This includes “a comprehensive view of where all key information assets reside, whether self-managed or managed by a third party, including any unstructured data (e.g., spreadsheets, documents, PDFs, emails, etc.). This should include risk classification and level of granularity, appropriate to the entity’s size and complexity, plus current risk controls.”
You’ll notice that Mistry hones in on an important asset management aspect of cyber-risk: third party vendors.
“Organisations should implement a third party tiering system which can be created using parameters like the location of services, number of records accessed, data type accessed, etc,” he says. “Tiering of the third parties can help determine the frequency of controls assessment and the level of evidence required to ascertain the security posture of third parties.”
“They should review the third party contract and ensure the cyber risk at third parties are managed and contained to reduce the cascading impact on organisation in case of a security incident at third parties.”
Rethinking traditional networking
With the changing nature of networks, including cloud vendors, edge computing and IoT devices, it’s useful to rethink network cybersecurity risk.
Justin Spyridis, Group Owner, IoT at Telstra suggests “moving away from a perimeter defensive position. This is largely focused on the idea of zero trust networks and assuming that all devices essentially operating from untrusted domains and take some level of responsibility and ownership (across access control and management)”
To achieve this, he recommends a “comprehensive review of the threat landscape for all projects across devices, edge/gateway, cloud and external interfaces/endpoints”, with the following stipulations:
- The need to be realistic about what is possible and what is not
- Clearly articulated risks and stages of deployment (dev/POC/trials/production)
- Clear security failure analysis – what is the cost to business if data is compromised, etc.
Using an existing framework for repeatable processes
Organisations often choose to use an existing cybersecurity framework as their basis for cyber risk management. There’s no need to reinvent the wheel, after all – simply tweak it for each organisation’s unique nuances.
Popular frameworks include:
- NIST (a US-government developed framework)
- ISO/IEC 27001 (an international standard for an information security management system)
- CIS Controls (best practices from the Center for Internet Security)
- FAIR (a Value at Risk framework for cybersecurity and operational risk)
Using one or more standard frameworks can help ensure compliance and reporting within specific, industry-wide best practices. Modification is fairly standard, allowing organisations to adjust for their specific requirements.
Modern solutions to a modern threat landscape: AI
Just as AI is becoming a staple for security tools, so too is it becoming a staple for hackers. The reaches of AI for security threats is a scary prospect, too, as Kade Morton, Security Consultant at Quantum Security Services explains.
“Imagine malicious hackers with access to an AI tool for automating their reconnaissance of targets, the discovery of vulnerabilities, something that suggests tools and payloads appropriate to those vulnerabilities, that illustrates how a number of vulnerabilities could be chained together, and that can advise on the latest defence trends and how to circumvent them.”
It’s not all doom and gloom, though. AI can also be used to “fight the good fight” when it comes to cybersecurity.
“AI can help developers create more secure products and help people deploying solutions to make sure those solutions are (and stay) configured correctly,” says Morton. “There is also scope for AI to give advice to users based on their current actions and behaviour, such as asking whether you really want to click on a link or trust an encrypted connection.”
CapGemini’s 2019 survey of senior execs supports the need to implement AI in cybersecurity measures, finding:
- 75% of respondents say that AI allows their organisation to respond faster to breaches
- 3 in 5 firms say using AI improves the accuracy and efficiency of cyber analysts
- A majority of respondents report that AI lowers the cost of detecting and responding to breaches
Make your mark in this exciting industry
Cybersecurity is undoubtedly one of the most interesting fields to enter as an IT professional, with cyber risk management a varied, imaginative, and data-driven role. If that sounds like your dream role, then have a browse of current job listings at these top companies:
Find Out More About Top Graduate Programs
Check out these companies