Cyber risk can be a big blind spot for organisations. With digitalisation on the rise in the Middle East, it’s important that organisations understand that while this holds immense potential for huge rewards, it also brings with it significant risks from an ever-evolving landscape of cyber threats.
Fortunately, we’re seeing that boards and senior leaders across governments, and public and private sectors in the region are more engaged than ever before and working to better understand how cyber risk is being managed within their organisations. More dialogue with leadership around cyber risk and the impacts proactive and reactive measures have on an organisation’s risk profile is a great trend to see.
Cybersecurity teams—often in the background—take on the overwhelming tasks of supporting day-to-day operations while constantly being prepared for attackers in their environment. Balancing the criticality of in-flight projects and operational responsibilities with response preparedness is a difficult trade-off.
It is important to understand that cyber risk is not dissimilar to any other business risk. It is an aggregation of the threats and vulnerabilities present across an organisation, any of which—if exploited—could lead to financial loss, reputation damage and regulatory matters. The term risk and the threat are not the same and should not be used interchangeably.
When looking specifically at threats and vulnerabilities, the focus should be on what technologies or processes organisations have created or consumed that are potentially vulnerable, and that create ‘opportunities’ for abuse. Threats we can then overlay as the potential vectors or methods for how those vulnerabilities or opportunities could be exploited.
When it comes to communicating impact, simplicity can help gain the ear and appreciation of Boards around how cyber risk is being managed. This minimises complexity and focuses upward reporting around the impacts that matter. A common issue is that organisations often get paralysed around how to reduce cyber risk and what controls are being relied upon, and over time how the fidelity of those controls is truly validated and Return on Investments (ROI) around security investments maximised.
Mandiant offers cybersecurity intelligent SaaS platform GITEX 2022
How to map your cyber risk journey
Cyber risk is a broad and deep subject, and there is no single process, technology, or solution that will drive it down. Maturity-based programs are a key contributor to a security program’s overall direction, but they should not be the only driver of the program. A properly designed program is instead a coordination of capabilities that requires both defining and aligning to the organisation’s direction and tolerances, and connecting it to the evolving threat landscape. Here are some key takeaways to remember when developing your program:
- Understand what matters most: Take time to develop an understanding of the critical business assets with the highest potential for adverse impact to your organisation and prevent you from staying a going concern if compromised.
- Define and align cyber risk tolerances across the organisation: Develop a top-down view of the organisation’s cyber risk, clarify executive reporting requirements, establish, and target an organisational risk tolerance.
- Identify and model security archietectural risks for critical systems: Decompose mission-critical systems into their components and connections and identify threats and vulnerabilities, assign risks to each threat and align to organisation tolerances around impact.
- Identify cyber risks and key partners and portfolios: Identify those partners and organisations that you are heavily reliant on and perform due diligence to assess integration and supply chain risks that would expose your organisation but also drive your risk profile to levels of unacceptable risk.
- Identify operational vulnerabilities and align to organisations risk tolerances: Link vulnerabilities and degrees of exploitability to the potential for compromise to mission-critical systems and validate those against defined cyber risk tolerances.
- Validate if your security capabilities are moving in the right direction: Map the existing security program initiatives against best practices and validate deviations from standard practices for your industry and region of operation.
Developing maturity around cyber risk does not happen overnight; rather, it is a continuous process that builds upon itself. At Mandiant, our approach—derived from numerous programme transformations—helps organisations build a better approach to identifying, mapping and driving down risks in a meaningful and methodical way.
To successfully manage cyber risk, organisations need to rethink and better identify threats that matter most to the organisation, integrate that information and inform the organisational operational risk profile from a cyber vantage point. It’s a simple thought, but it’s often missing from most programs we interact with. The goal with proper cyber risk management is to help surface the threats and vulnerabilities the organisation should care most about and can cause significant impact and true risk.
