Framing cyber security as a business risk

Abstract

The information security industry struggles to get its programmes on the enterprise stage. When an organisation has a public breach, we are quick to criticise both the CISO and executive management. Is it that management ‘just doesn’t get it’, or is the problem that we’re still not presenting in a way that resonates with the business? We can learn a lot from other risk disciplines, how they organise risk scenarios and the techniques that they use. Mature organisations rely on risk profiles, the RCSA, stress testing, control testing and the analysis of loss events to understand their risk exposure. If you want your information risk programme to be taken seriously by the business, you have to do more than just throwing around a few business terms — you need to embrace enterprise risk techniques. Structuring a cyber security programme and assessment approach similar to other risk stripes not only provides credibility, but also allows the organisation to normalise risks across domains. By adopting taxonomies that are ERM-friendly, embracing the idea of a quantifiable loss event, and helping to translate impact and frequency factors into IT terms, you will see a great improvement in business engagement and ensure that cyber security concerns receive the right focus.