Cyber risk appetites: How hungry is your organisation?
A new report from RSA has outlined a new framework for organisations, designed to help them create stronger cybersecurity objectives.
According to RSA, businesses need to determine their cyber risk appetite. As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber risks, it says.
The framework, issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, is designed to give organisations a new to factor cyber risk into their overall risk appetite and to define the level of cyber risk they are willing to accept in the context of their overall business strategy.
“Since organisations can't turn the clock back on globalisation, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their thinking about risk,” RSA says.
According to the report, entitled Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise', organisations need a systematic process for defining and comprehensively categorising sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite.
“Cyber risk is a critical issue in today's organisations, touching aspects of business risk, regulation and technology,” says David Walter, RSA general manager, Global GRC.
“ To effectively deal with these risks, executive decision-makers need to understand their organisations' cyber risk appetites' – balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions,” he explains.
To effectively assess their cyber risk appetite, the report recommends that organisations take a comprehensive inventory of cyber risks, quantify their potential impact and prioritise them.
“Organisations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public,” says Walter.
“They need to prioritise the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals) and external public facing points of interaction. Prioritisation needs to be an ongoing process involving constant evaluation and re-evaluation.
The report says an organisation's ability to quantify cyber risk and make informed decisions about their cyber risk appetite will put them in a position to succeed.
Emily Mossburg, partner, Deloitte - Touche LLP and Deloitte Advisory Cyber Risk Services Resilient Practice leader, says, “The very fundamental things that organisations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk.
“Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology,” she says.
“Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver, and then make more informed decisions.