Most cyberattacks succeed because of weaknesses in people, processes, controls and operations. This is the definition of operational risk. Therefore, it makes sense to tackle cyber risk with the same tools you use to manage operational risk.
We continue to prove that the approach of the IT department managing cybersecurity is not working. Cyber risk is typically treated in parallel with other technology risks; the IT department is motivated to focus on securing the vulnerabilities of individual system components and proffers a micro view of security concerns.
My new Celent report on “Treating Cyber Risk as an Operational Risk: Governance, Framework, Processes and Technologies”, discusses how financial institutions are advancing their cybersecurity practices by leveraging their existing operational risk frameworks to centralize, automate and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity.
The report identifies and examines the steps required to achieve a risk-based approach to a sustainable and, ultimately, a measurable cyber risk management strategy:
1. Establish a long-term commitment to drive a top-down, risk-based approach to cybersecurity.
2. Recognize that the traditional approach of the IT department managing cybersecurity is limited and that most cyber risks are weaknesses in people, processes, controls, and operations.
3. If you have not already, consider deploying the NIST cybersecurity framework and tailor the framework to fit your individual cybersecurity requirements. The framework lets you take advantage of your current cybersecurity and operational risk language, processes and programs, industry standards and industry best practices. Both cyber and operational risk should be informed by and aligned with the institution’s enterprise-wide risk management framework.
4. Move your organization along the cybersecurity maturity curve by building dynamic risk models, based on shared industry data and assumptions, to measure and monitor cyber threats and pre-empt those attacks.
5. Stop throwing money at the problem. Educate decision-makers on why and how breaches happen. Do not purchase in siloes or under pressure, select the right expertise to identify the issues and carry out due diligence on products.
6. Use the NIST’s five functions to navigate and manage cybersecurity technology requirements and purchases.
7. Know what technology you want from your vendors; know what advice to seek from your consultants.
8. Acknowledge that cybersecurity is the responsibility of every employee and human behavior is the most basic line of defense. Institutions cannot hesitate in the goal to educate their employees, third parties and customers.