Home > Audit, Cyber, Governance, GRC, IT, Risk, Technology > Understanding and managing cyber risk

Understanding and managing cyber risk

Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.

  1. Jim DeLoach
    March 29, 2015 at 4:23 PM

    Good list. I would include the following question:
    Does management make an effort to identify the organization’s “crown jewels” (data, information and information systems that the organization cannot afford to lose) to focus its cyber protection strategy or, alternatively, does management view all information assets to be of equivalent value?
    Nice to see you in Miami, Norman.

  2. Norman Marks
    March 29, 2015 at 4:32 PM

    Jim, thanks for the suggestion.

    One of the Miami panelists also talked about focusing more resources on the crown jewels than on minor assets.

    I made the point that people don’t think about whether any breach could have a significant effect on the achievement of the organization’s strategies and objectives. Management should take each of the above and ask what effect, if any, could a breach have?

  3. March 29, 2015 at 5:09 PM

    Norman, Very easy to ask questions. The real intellectual discourse is the sharing of possible solutions not questions. COBIT/NIST/ISO and many others we all are working on for a long time.

  4. Paul Charlton
    March 30, 2015 at 2:15 AM

    I would turn q’s 1, 2, 7, 9, & 12 into open questions so that the answers are not automatic “yes” and make the respondent think, or follow up the closed question with “how do you know?”

  5. March 30, 2015 at 4:16 AM

    Good thoughts. Will take them with me for a ERM presentation to savings banks shortly.
    For those interested in further reading IRM in Ldn has good material:
    https://www.theirm.org/knowledge-and-resources/thought-leadership/cyber-risk/
    Kind regards / Per

  6. March 31, 2015 at 12:20 AM

    I think also that one of the important questions is how frequently the company gets independent verification. Depending on the industry and its reliance on IT, each business must get a third party to verify their IT risk policies.

  1. March 29, 2015 at 10:06 PM
  2. September 7, 2015 at 1:20 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: