Last week, the Axio services team hosted a webinar roundtable on pragmatic cyber risk management. The presentation focused on what security professionals can do today to be prepared for the SEC cyber rules as they go into effect on December 15th, 2023.
Our Axio roundtable panelists were:
- David White- Axio President
- Brendan Fitzpatrick- VP, Cyber Risk Modelling
- Benjamin Lorentzen- Director, Cyber Risk Engineering
- Jennifer Moll- VP, Strategy
We had a record number of attendees and covered a lot of ground in the discussion. Below you can find a brief recap with some quote highlights. We recommend watching the full roundtable for a more comprehensive overview of the topics
We believe that a pragmatic approach highlights the most important risks and potential impacts from them. So that you can focus your investment of scarce resources time, money, and people on what matters the most. Therefore, pragmatic means facing those constraints head-on while achieving expected and needed outcomes are focused on filtering out the noise. So that you can focus on the risks that matter.
1.Getting started with Pragmatic Cyber Risk Management
- Start by shopping your organization’s existing tools and processes to avoid rebuilding something that already exists.
- Select a model or framework, such as NIST CSF or ISO 2700 series, to conduct an initial assessment and establish an ongoing monitoring rhythm.
- Create a risk register to capture and monitor risks, be judicious about what risks to include, and implement a process for risk decisions and disposition.
We’ve worked with organizations at Axio where there is no Enterprise Risk Management (ERM). They’re starting with cyber risk management, and it ends up influencing ERM. They can work individually, but they have to ultimately work together to help reduce risk holistically.
2.Building a cybersecurity risk management team and communicating results.
- Build a cross-functional team for cyber risk management, involving:
- Building relationships with stakeholders, including C-suite and board members, is critical for effective risk management.
- Collaboration is key to effectively communicating cybersecurity risks and involving the rest of the team.
- A risk-steering committee can provide the necessary authority if built into an organization’s charter.
3. The relevance of security assessment scores and focusing on key metrics.
- Focus on key metrics and quantifying risks, rather than solely relying on assessment scores.
- Assessments are most useful for improvement, rather than compliance or measurement.
- The right assessment depends on an organization’s “why” and current stage of maturity.
- Use assessments for the right reasons, such as improving program effectiveness and demonstrating compliance with the SEC.
- Continuous improvement and investment are crucial to address gaps and changes identified through assessments, rather than just chasing scores.
If you have some key performance indicators that you want to track- like how many phishing links did our employees click last month? This may be something worth tracking to see if it’s getting worse. Your score on an assessment may be irrelevant.
4.Cybersecurity systems of record and risk assessment.
- You must document decisions and artifacts for both organizational and individual resilience
- We define a system of record as the authoritative source for data, with examples in accounting and cybersecurity.
- Design a system of records to preserve thought processes and decision-making during legal or regulatory proceedings.
- Discoverability of such systems is crucial in times of crisis—you need to document efforts to improve the situation in case of denial of funding or legal action.
- A system of record can demonstrate compliance and track progress toward security goals.
- Define and differentiate critical controls and gaps in the system of record to prioritize improvement efforts.
5. Cybersecurity assessment frameworks and prioritization.
- Use multiple frameworks to prioritize cybersecurity controls, rather than relying on a single framework.
- A combination of control analysis and risk quantification best prioritizes controls and measures their impact on cyber risk.
- Axia’s product and engineering team are developing features to help organizations manage multiple assessments for SEC Rule and OT environments.
6. Cyber risk quantification and materiality determination.
- Risk managers must determine the materiality of cyber risks using qualitative analysis, reporting on an annual basis and as events occur.
- Cyber risk quantification helps organizations understand the materiality of events and risks.
- It’s important to have a repeatable process for determining materiality in the event of a cybersecurity incident.
- CRQ can quickly adjust the materiality threshold based on the current situation instead of starting from scratch
I tend to be on the CISO side of things, and I feel that sometimes CISOs are scapegoated for an organization’s decisions. A system of record is essential to making sure organizational decisions are cataloged and referenced. The essence of the SEC ruling is that you need to disclose these events within four days of the assessment of materiality. And you can’t just kick the assessment of materiality down the road. So there’s speed involved. If you’re in an event, you need to know quickly if it’s going to be material or not. And if you’re trying to look at an Excel sheet or going back to email when you’re trying to fix things – you’re already under stress from the event – you’re not going to be able to respond in time.
7. Cyber risk quantification and its benefits.
- A cyber risk quantification methodology involves groupthink and using formulas to estimate costs, such as incident response time and downtime costs.
- Best method for understanding the potential impact of cyber threats on an organization, including legal and financial implications.
- The right cyber risk identification methodology lets you share results quickly.
- Can also be used to procure better cyber insurance.
8. Cyber risk quantification, insurance, and compliance.
- Axio’s cyber risk quantification service provides clients with confidence in their insurance program, including pricing and coverage parameters, and gives insurers extraordinarily beneficial outcomes by demonstrating an organization’s ability to understand and manage their risk.
- Axio has BYM (Bring Your Own Model). A customized risk assessment framework, citing that it can lead to more favorable terms and better risk management.
- Focus on doing the right thing, compliance will follow as a byproduct