Risk management is a key component of any cyber security strategy and having a strategy is important because cyber criminals have a strategy. A strategy of using all available means to achieve their aims.
“But cyber risk is not about technology alone; it is also about people and processes, and therefore it is about leadership and management,” said Will Brandon, chief information security officer at the Bank of England.
“It is important for business leaders to own the risk, but that means they need to understand the risk before they can manage it. Any cyber risk is combination of threats, vulnerabilities and assets – and all three have to be present for a risk to exist,” said Brandon.
Apart from understanding what the most likely threats are, organisations need to identify the assets or data and systems that matter most, and the vulnerabilities.
Organisations can most effectively address vulnerabilities by focusing on their people, processes and technologies, identifying weaknesses and mitigating those as much as possible.
Brandon added: “Every organisation needs a range of mitigations and controls aimed at reducing the risk of the most likely threats.”
This requires organisations to set-up and maintain a risk register to score and prioritise risks, and establish a risk governance process that includes the risk owners – who are responsible for business-critical data and systems – as well as representatives of IT security, information security, procurement, human resources (HR) and legal.