Cyber-Threat Management Requires a Risk-Based Approach
Steven Minsky | Dec. 2, 2015
The concept of cyberattacks, while still disturbing, is no longer as new and unfamiliar as it was five years ago. However, we are still seeing money invested in inefficient and ineffective risk mitigation responses. All the major corporations that have suffered breaches had sophisticated control solutions in place. Even so, their risk exposure was significant in known but uncovered areas, all thanks to poor risk management.
Companies are buying and implementing point solutions despite not understanding their unique risks. Without a risk-based approach, they cannot identify and close the gaps. Even though cyber threats have been around for a few years, the link between risk cause and its chosen mitigation has not been well understood. As a result, companies are still learning how to craft effective risk assessment activities that result in cost-efficient as well as effective risk mitigation and risk monitoring activities.
Successful risk mitigation strategies have a common element. They are built upon best-practice risk identification and assessment, which should occur before attempts at solutions or mitigations are made.
A dilemma results: how to continue detecting and neutralizing these risks without wasting an unnecessary amount of time and money on reactionary mitigation controls? The answer is straightforward: use a common risk management platform that has a centralized library of all risks, cyber and otherwise, and organizes them with a standardized taxonomy. A risk taxonomy also makes it easy to assess these risks using a consistent scale and set of standards that are linked to your control environment to facilitate gap analysis and remediation.
Why companies should change their approach to cyber-risk mitigation
The Wall Street Journal published the results of a survey that took an in-depth look at how financial institutions are attempting to reduce fraud risk.
53% of such organizations had implemented at least ten systems designed to detect finance-related crimes. 31% had implemented more than 20, meaning only 16% of organizations have fewer than ten unique systems in place.
The conclusion: The number of monitoring systems in place does not correlate with the effectiveness of the risk management program, nor does it reflect the complexity or needs of the host organization. The WSJ report concluded that as the number of systems increases, so too does the difficulty of getting an accurate read on what is happening within a network. More than half of respondents reported that a major challenge is unifying and consolidating these risk mitigation efforts. Since regulators are zeroing in on risks within processes and the links between risk and control, financial organizations have more motivation to make investigations transparent, consistent, and connected.
The process of managing complexity and facilitating obligatory investigations is made straightforward with a risk-based approach linking risks to mitigation activities. Such a system standardizes processes, increases responsiveness to regulator’s inquiries, and provides evidence of effective management of risks related to financial crime and compliance.