How to improve cyber security risk management with a data-driven framework

Domenico del Re Director, Sustainability, PwC United Kingdom 26 November, 2020

Cyber security risk presents a unique challenge – how do you manage a risk that’s always evolving? Threat actors are constantly developing new methods that can damage organisations, and frequently at a faster rate than the impact can be assessed and defences updated. At the same time, organisations are expanding their digital footprint by adopting new platforms for both internal and client-facing activities.

We recently surveyed 265 UK business and technology executives as part of a global study into cyber security strategy in 2021. It found that a third of UK organisations (34%) plan to accelerate their digitisation plans due to COVID-19, while the same proportion will have more of their employees working remotely permanently. Traditional risk management frameworks were not designed to assess such rapid, dynamic changes to a business’s cyber risk profile.

To effectively manage cyber security risk, a different mindset is needed. One that enables you to communicate a forward-looking view of how external threats and organisational changes should impact your security investment decisions.

What is data-driven cyber risk management?

According to our research, only 38% of UK organisations are very confident their cyber budget is allocated to the most significant cyber risks. More encouragingly, 71% of respondents agreed that by better quantifying cyber risk, they would improve their ability to manage overall risks against spending.

To ensure everyone in an organisation understands cyber security risk, and that you can communicate and allocate resources efficiently, the risk assessment framework needs to evolve alongside your digital environment.

It should set out the threats you’re facing, the impact they could have on the business and your own cyber response capabilities. Organisations often look at cyber threats and capabilities, but mapping to the business impact is most times an afterthought and is not translated into quantifiable metrics, such as financial loss or customer impact.

Key components for data-driven cyber risk

Adopting a framework that combines these three components overcomes the much-discussed communication barriers between CISOs and the rest of the business. For example, risk functions often find cyber security reports to be too technical or lacking in business context. A third (34%) of UK organisations agree there will be more frequent interactions between the CISO and CEO or board as a result of the COVID-19 pandemic. It's therefore crucial that CISOs try to close the knowledge gap between themselves and the rest of the C-Suite, otherwise the organisation could be exposed to cyber risk due to a failure to invest in the right skills and technologies.

The success of any cyber risk framework lies in its defensibility and consistency, which is why the solution needs to be data driven. By modelling the interactions between threats, impacts and security capabilities in a dynamic, interconnected framework, you can explain the impact of cyber on a specific set of business activities, and quickly identify the ‘so what’ to a less-technical audience. It can also support scenario planning, as you assess the impact of risks from the most severe to minor, leaving you prepared in the event of a cyber incident.

Getting started

Our experience has shown that early successes do not need complex modelling or extensive data sources. Companies can start with simple scoring approaches and build the case for more automated, granular and quantified approaches over time.

Such an undertaking is within reach of all organisations. Some might need to revisit the roles of their security teams, and create clear responsibility around risk reporting and risk reduction targets. Ultimately it will enable you to take a more proactive approach to cyber security risk and investment, helping to improve business resilience to future events.

What does dynamic cyber risk management look like?

Imagine the data room of the chief risk officer of a large insurance company when a strong hurricane is looming in the ocean. The team takes scenarios of how the storm could develop to understand the possible impact on the portfolio of properties. Are the buildings in the path particularly vulnerable to flooding? How does this storm match our planned financial loss scenarios? Data from the meteorological stations tell them how the threat could turn into different financial loss scenarios. They will prepare their claims teams and seek financial loss mitigation options, based on the analysis of possible outcomes, such as getting emergency reinsurance protection from capital markets.

Cyber risk in organisations needs to be managed along similar lines. A static approach to manage risk will rapidly become obsolete. Data feeds from threat intelligence, audit findings, defect management and asset life cycles can be orchestrated into the three components of Threats, Business Impacts and Capabilities to give a real-time dynamic view of risk. The insights from this approach will help with the tough decisions the CISO and security teams face on a daily basis:

  • Is my vulnerability management programme reducing risks from the new emerging threats?
  • What is the value of my culture and training programme?
  • Which of my current projects will mitigate business risks the most?
  • Exactly which of my client-facing processes could be affected by this new emerging threat? And how could it be affected?

Monitoring and maturity assessment data is abundant in companies and provides a view on the cyber capabilities and threats. Add a view of the business impact to answer the “so what” that business functions ask when new threats or vulnerabilities make the news headlines.

Cyber functions have the duty to show how they are achieving the resilience that management expects. Demonstrating that the function has a handle on what could go wrong, makes them business enablers to new digitisation journeys.

Contact us

Domenico del Re

Domenico del Re

Director, Sustainability, PwC United Kingdom

Tel: +44 (0)7483 906282

Follow us
Hide