Organisations rely on technology, systems and Information to support their business goals. It is important that organisations apply a similar level of rigour to assessing the risks to its technology, systems and information assets as it would to other risks that might have a material business impact, such as regulatory, financial or operational risks. This can be achieved by embedding an appropriate risk management regime across the organisation, which is actively supported by the board, senior managers and an empowered governance structure.
Defining and communicating the organisation’s attitude and approach to risk management is crucial. Boards may wish to consider communicating their risk management approach and policies across the organisation to ensure that employees, contractors and suppliers are aware of the organisation’s risk management boundaries.
What is the risk?
Taking risk is a necessary part of doing business in order to create opportunities and help deliver business objectives. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with what risks an organisation is willing, or not, to tolerate. If an organisation does not identify and manage risk it can lead to business failure.
The lack of an effective risk management and governance structure may lead to the following:
- Exposure to risk: Without effective governance processes the Board will be unlikely to understand and manage the overall risk exposure of the organisation.
- Missed business opportunities: Risk decisions taken within a dedicated security function, rather than organisationally, will be motivated by achieving high levels of security. This may promote an overly cautious approach to risk leading to missed business opportunities or additional cost.
- Ineffective policy implementation: The board has overall ownership of the corporate security policy. Without effective risk management and governance processes the Board won't have confidence that its stated policies are being consistently applied across the business as a whole.
How can the risk be managed?
Establish a governance framework: A governance framework needs to be established that enables and supports a consistent and empowered approach to risk management across the organisation, with ultimate responsibility residing at board level;
Determine what risks an organisation is willing to tolerate and what is unacceptable: Agree what risks you are prepared to tolerate in pursuit of your business objectives. Produce guidance and statements that helps individuals throughout the organisation make appropriate risk based decisions.
Maintain board engagement: The board should regularly review risks that may arise from an attack on technology or systems used. To ensure senior ownership and oversight, the risks resulting from attack should be documented in the corporate risk register and regularly reviewed. Entering into knowledge sharing partnerships with other companies and law enforcement, and joining the CiSP Information Sharing Platform, can help you understand new and emerging threats as well as share approaches and mitigations that might work.
Produce supporting policies: An overarching technology and security risk policy should be created and owned by the board to help communicate and support risk management objectives, setting out the risk management strategy for the organisation as a whole.
Adopt a lifecycle approach to risk management: Technology changes, as does the threat and therefore risks change over time. A continuous through-life process needs to be adopted to ensure security controls remain effective and appropriate.
Apply recognised standards: Consider the application of recognised sources of security management good practice, such as the ISO/IEC 27000 series of standards.
Make use of endorsed assurance schemes: Consider adopting the Cyber Essentials Scheme. It provides guidance on the basic controls that should be put in place to manage risk of online cyber attack to enterprise technology and offers a certification process that demonstrates your commitment to cyber security.
Educate users and maintain awareness: All users have a responsibility to help manage security risks. Provide appropriate training and user education that is relevant to their role and refresh it regularly. Encourage staff to participate in knowledge sharing exchanges with peers across your organisation and beyond.
Promote a risk management culture: Risk management needs to be organisation-wide, driven by corporate governance from the top down, with user participation demonstrated at every level of the business.