sb-as logo
Story image

Cyber risk appetites: How hungry is your organisation?

A new report from RSA has outlined a new framework for organisations, designed to help them create stronger cybersecurity objectives.

According to RSA, businesses need to determine their cyber risk appetite. As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber risks, it says.

The framework, issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, is designed to give organisations a new to factor cyber risk into their overall risk appetite and to define the level of cyber risk they are willing to accept in the context of their overall business strategy.

“Since organisations can’t turn the clock back on globalisation, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their thinking about risk,” RSA says.

According to the report, entitled Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise’, organisations need a systematic process for defining and comprehensively categorising sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite.

“Cyber risk is a critical issue in today’s organisations, touching aspects of business risk, regulation and technology,” says David Walter, RSA general manager, Global GRC.

 To effectively deal with these risks, executive decision-makers need to understand their organisations’ cyber risk appetites’ – balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions,” he explains.

To effectively assess their cyber risk appetite, the report recommends that organisations take a comprehensive inventory of cyber risks, quantify their potential impact and prioritise them.

“Organisations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public,” says Walter.

“They need to prioritise the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals) and external public facing points of interaction. Prioritisation needs to be an ongoing process involving constant evaluation and re-evaluation.”

The report says an organisation’s ability to quantify cyber risk and make informed decisions about their cyber risk appetite will put them in a position to succeed.

Emily Mossburg, partner, Deloitte & Touche LLP and Deloitte Advisory Cyber Risk Services Resilient Practice leader, says, “The very fundamental things that organisations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk.

“Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology,” she says.

“Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver, and then make more informed decisions.”

Story image
Report: Power utilities increasingly at risk of devastating cyber-attacks
“Utilities’ existing systems are becoming increasingly connected through sensors and networks, and, due to their dispersed nature, are even more difficult to control.”More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More