Our world is digitally dependent. The recent Oldsmar water attack on internet-connected control systems served as a clarion reminder: hackers almost succeeded in poisoning the water supply in Florida without setting foot inside the physical premises. As our reliance on digital systems grow, cyber risk becomes ever pervasive, enterprise organizations need to reset their approaches to managing cyber risk. Many organizations have a siloed approach to addressing their risks and ultimately, this impedes their ability to function optimally as a business. Axio’s VP of Cyber Risk Engineering, Lisa Young, led a webinar investigating this issue hosted by Society of Information Risk Analysts.
“Effective risk management is about breaking down silos, changing the culture and managing complexity, which are all team sports,” Lisa Young said.
Axio is at the forefront of solving this problem. We strive to provide our customers with visibility across their organization so that they can prioritize and address risks that impact the business as an enterprise, not just a business unit.
Discussed in more detail during the webinar, the following are the top 10 considerations risk professionals should be aware of as they lead their organizations through these unpredictable, highly digital times:
- Risk analysis should be performed in relation to a business problem. If risk analysis is not answering a business question, then you are just calculating mathematical formulas without generating business value.
- Risk management is an ongoing proactive process of tackling uncertainty. The process needs to be repeatable to mitigate loss in alignment with your risk appetite.
- A tunnel vision focus on threat management or modeling can be detrimental to holistic risk management. Understanding the specific threats are only really valuable if you have a process for ingesting and acting on that information.
- Evaluating risk from the bottom-up, at the asset-level, can distort the analysis. Applying a top-down, business-focused lens helps articulate true value of an asset, specifically its role in supporting the overall enterprise mission.
- Risk is a balance of things organizations can and can’t control. As shown in the diagram below, organizations need to strike a balance between conditions (threats, vulnerabilities, weaknesses) which we may not always have control over and consequences, which we can control, direct, monitor and measure.
- A clear enterprise strategy can help set appropriate risk appetite statements and risk tolerance levels. This will prevent your organization from taking on more risk than it can handle. Incorporating tolerances as a routine part of the business workflow or processes will save a lot of time and hassle.
- Risk isn’t just something that’s done horizontally or vertically or in a silo. It’s done all across the organization. Each business unit may have its own risk tolerance even though there is an aggregate risk appetite at the enterprise level.
- Mapping scenarios across the enterprise allows organizations to holistically understand their susceptibility. Using a visualization tool, such as a heat map encourages organizations to have the necessary conversations about the different scenarios, how to prioritize it and how to address it.
- It’s important to understand and use a common language in your organization. Using a taxonomy, groups and communicates risk in a way that is consumable for organizational leaders.
- Quantitative methods need to be coupled with qualitative analysis to provide an aggregate picture of your risk landscape. Although determining likelihood of a threat realizing is part of the solution, it’s important to devote a majority of your time to scoping, analyzing areas of susceptibility, and working on the entire problem.
Whether it’s cybersecurity, information security, business continuity, disaster recovery or IT operations, it all leads back to risk. Organizational resilience is directly related to how you manage risk conditions and consequences, making it a vital process in your business activities. Building a resilient risk management program is similar to taking care of your health, “it’s not something you buy, it’s something that you do. When you sleep well, eat well, take care of yourself, exercise, take care of your mental health, you become more resilient as a human. The same thing happens in our own organization.”
If you’re interested in learning how you can build resilience, book a demo with us.