Risk Management Strategy Fundamentals

Add bookmark

Lisa Morgan

Cyber security is one of many risk functions within an organization, but the various functions may not work together as closely as they should to collectively lower the company's risk profile. Security teams should work with IT and business stakeholders as well as with other risk functions including governance, compliance, risk management and legal.

Shadow IT

Shadow IT has plagued IT departments since the 1980's when Apple-loving radicals brought their Macintosh computers to work. In response, IT departments banned personal tech at work, issuing company-owned laptops and eventually Blackberry cellphones. Then, BYOD happened and IT lost the war. In response, cyber security vendors introduced mobile device management (MDM) and other endpoint security software in an effort to balance an enterprise's desire for a managed IT ecosystem with employees' desire to use a device of their choice.

Meanwhile, IT budgets shifted from centralized IT to include departmental budgets. Armed with their own budgets, departments and lines of business could finally justify buying their own tech, which they do, often without IT's approval or a cyber security assessment. While it's true no one understands the needs of a department better than the people who work in it, what non-technologists don't tend to realize is how their tech purchases may impact IT, the IT ecosystem, the company's risk profile and security teams.

Cyber security and IT should not only be informed of departmental purchases, they should be brought in before the purchases are made so the potential risks can be managed from the beginning. In fact, some IT departments have set up company marketplaces where employees can choose from pre-vetted options to balance users' preference for choice and the organization's need for risk management.

Similarly, some cyber security teams make a point of engaging people throughout the business to understand what they're trying accomplish and the tech they think they'll need to do it, so the security team can identify a safe way to give business users what they want.

Business + IT + Security Process

IT and security need to ensure from a technical standpoint that equipment, software and devices are secure and that company employees understand basic cyber hygiene. However, more fundamentally, they should be working with the business to establish processes that minimize risks. 

Getting there requires processes that are cooperatively defined, adhered to, modified and updated. In addition, the processes should be documented to withstand staff changes and an audit. The processes should also be monitored to ensure compliance and signals that processes need to change in some way.

One of the reasons it's important to orchestrate processes among the business, IT and security is because it's absolutely necessary in today's environment of cyberattacks, cyberwarfare and cyber terrorism. In addition, today's enterprises are connected to third parties including suppliers, distributors, resellers and customers. This "extended enterprise" model is only as secure as its weakest link. As a result, third parties may be adversely impacted by an attack. Conversely, third parties could be the launch point of an attack.

Given all the complexity and potential risks, enterprises should be quantifying their risk so the business, IT and security can operate in sync from policy and operations standpoints. Companies need to be clear about their risk appetite, the threats they face, how cyber security incidents are evolving, and what the cost of a cyber security incident might be as reflected in the numbers.

Organizations are also wise to engage white hats who can help identify weak spots their internal teams have missed, such as through penetration testing and social engineering exercises. 

For example, one cyber security consulting firm dropped thumb drives in a client's parking lot to demonstrate how easy it is to dupe an employee, even one who is well aware of the need for cyber hygiene. To increase the likelihood that individuals would insert the thumb drives into their computers, the consultants labeled the devices with confidential sounding information such as "employee salaries" or "executive salaries." 

Third Party Risk Management

The extended enterprise created the need for third-party risk management (TPRM) solutions. According to Gartner, 60% of organizations have 1,000 or more vendors and 80% of legal and compliance leaders say they didn't discover third party risks until after the third parties were onboarded

In the 2020 Gartner Magic Quadrant for IT Vendor Risk Management tools, Prevalent and ServiceNow were named Visionaries. The Leaders include Galvanize, MetricStream, NAVEX Global, OneTrust, ProcessUnity, RSA and SAI Global. 

Some companies are turning to professional services firms and cyber security consultancies for help understanding and managing third party risks. For example, EY offers a set of four TPRM services. One of them is TPRM as a Service.

Supply chain risk, another third-party topic, is being viewed somewhat differently after the recent Suez Canal incident in which the cargo ship Ever Given stopped the flow of traffic for six days by getting stuck in mud. The incident is expected to impact commerce for weeks or months. However, from a security standpoint, there is concern that terrorists could inflict similar harm, potentially on a larger scale, by shutting down narrow routes like the Suez Canal and the Panama Canal simultaneously through physical or cyber means.