TÜV Rheinland Blog - Insights from Asia and Africa

The Evolution of Cybersecurity Risk Management

Posted by TUV Rheinland on Apr 17, 2019 12:00:00 PM
TUV Rheinland


In our increasingly connected world, when it comes to threat landscape and business risks, we face unprecedented challenges.

In the next three years, IoT devices are expected to grow to 30 billion connected devices. According to the Boston Consulting Group, banks face 200 regulatory changes daily, as penalties for cyber threats rise to $345 billion. The average business enterprise uses 1,427 cloud services, 76 file sharing cloud services, and 210 collaboration cloud services, according to SkyHigh Magazine. A recent Hacker’s Playbook Findings Report reveals that malware attacks are successful in bypassing enterprise security more than 60% of the time.

With constant security threats looming, enterprises must find a way to identify and address the risks. But how can this be done successfully when the IT landscape is continuously evolving?


Businesses must drive risk transformation

New Security analytics can support inherent risk probability analysis with the likes of Big Data, Machine Learning, Artificial Intelligence and Behavioral Analytics. Enterprises will need to start evaluating operational risk, cyber risk and compliance risks collectively and continuously at the enterprise level, in line with Gartner’s newly defined “Integrated Risk Management” capabilities.

This presents a need to quantitatively measure current and future risks and the effects of various risk treatment approaches, including prioritisation and funding.

We know there is a long way to go when it comes to cyber risk management and sometimes it’s difficult for enterprises to launch and sustain their programs effectively. At TUV Rheinland, we’ve heard all kinds of stories from the field. Following are some of the common answers we come across to these questions.


How do you make decisions on security investments?

  • Control Assessment Gap: Picking a framework of controls, seeing if each controls anywhere in the organisation and marking it red/yellow/green.
  • Audit punishment alone: While audit has an excellent sense of control measures they are not as tied into the daily world of threat events to determine effectiveness and applicability across the enterprise.
  • SES (someone else’s strategy): Earlier in their career, security leaders will naturally seek advice from mentors – while helpful, it may not align with key controls for the unique sets of strategic objectives of the firm.


How do you select your key controls and evaluate effectiveness?

  • What are key controls?: Frequently, key controls are associated with Sarbanes Oxley or other perspectives on risk vs the advanced persistent nature of threats to your assets.
  • We have meetings once a quarter: Quarterly meetings to discuss key controls are a good practice, but what decision framework is used to offer up information to aid in the decision process?
  • Effectiveness is an audit call: But scope for the control is important to determine where effectiveness should be measured, a role for the risk function


Is there a preferred management framework?

Many experts in our industry agree that Preferred risk management frameworks are as follows:

  • NIST Cybersecurity Framework
  • The Impact Probability Quadrant (see below)


With risk management decisions all over the place, how do we solve those problems?

It’s important to set the stage for cyber risk prioritisation and quantification by knowing what your potential loss scenarios are given your business objectives and digital strategies. With a properly established and maintained risk register you can identify cyber key controls based on real-life threat events. The result is that you can refocus the allocation of precious resources towards corporate objectives by protecting critical assets and actively monitoring residual risks.


A better way to assess risk

Factor Analysis of Information Risk (FAIR) is a proven methodology that speaks the language of the business and helps you prioritise what is most important in risk management.

This methodology operates as both platform and open source and can operate in the “absence of data.”

The principle concepts of FAIR analysis are as follows:

  • Precision versus accuracy
  • Possibility versus probability
  • Subjectivity versus objectivity

The FAIR methodology applies to all sectors and organisations of all sizes regardless of budget and regulatory landscape. It focuses on the organisation’s threat profile as it pertains to corporate objectives and critical assets. It instills concepts of key controls, investment rationalisation, and board reporting. FAIR methodology also promotes organisational consensus regarding security priorities.


Keen to know more about the FAIR methodology, risk management, or ISO 31000? Speak to one of our cybersecurity experts today:

Contact us now

Read the full and original article here.

Topics: Risk Management, cybersecurity, ICT, AA19_D01_GRC