5 areas to help secure your cyber-risk management program
To meet the challenges of managing cyber-risk, organizations need to have a cyber-risk management plan in place. Look at five areas to better secure your organization's assets.
It's important to first define cyber-risk in order to understand cyber-risk management and determine goals and needs for an effective management program. In simple terms, cyber-risk includes the possibility of financial loss, disruption or damage to an organization from a failure of its digital assets, or IT systems.
Notable examples of cyber-risk include security vulnerabilities, cyberattacks and the consequences of attacks, such as data breaches, operational disruptions and reputational damage to the organization. Cyber-risk affects any organization with digital assets regardless of its size, but typically the larger and more complex an organization's digital footprint, the greater the potential cyber-risk.
Defining cyber-risk management
Cyber-risk management is a part of overall risk management and a component of an organization's broader enterprise risk management initiatives. Managing cyber-risk involves identifying, assessing and prioritizing risks, then implementing measures to mitigate those risks with the end goal of reducing the likelihood of a security incident. Cyber-risk management isn't a single-point-in-time effort but rather a continuous ongoing process.
Cyber-risk management isn't a single-point-in-time effort but rather a continuous ongoing process.
While risk can't be completely eliminated, a cyber-risk management program should reduce an organization's susceptibility to cyberthreats and mitigate the impact of security incidents. It also provides added benefits, such as protection against financial loss, improved adherence to compliance standards and regulations, and brand reputation.
Adoption is easier said than done
Organizations are embracing digital transformation to stay competitive. Consequently, the technological landscape is changing rapidly. Workloads have expanded beyond traditional on-premises data centers, with cloud-based applications becoming ubiquitous. Modern environments are becoming increasingly more complex with hybrid or multi-cloud environments, ephemeral assets, expanding attack surfaces, external connections and dynamic cloud-native applications.
Managing cyber-risk in this technical evolution has become more challenging. Occasional vulnerability scanning, the use of spreadsheets to track assets and attack surfaces, siloed legacy tools and manually assessing risk for business-critical assets is labor intensive, slow and unable to keep up with the pressure on organizations to increase productivity.
In addition to technological challenges, security threats from cyberattacks aren't stopping. Malware, ransomware, phishing attacks, DDoS attacks and insider threats continue to impact organizations. In fact, research on security hygiene and posture management by my colleague Jon Oltsik at TechTarget's Enterprise Strategy Group found that more than three-quarters (76%) of organizations surveyed have suffered a cyberattack as a result of an unknown, unmanaged or poorly managed internet-facing asset. It's more important now than ever that organizations take a proactive approach to manage their cyber-risk before a cyberattack occurs.
5 areas for cyber-risk improvement
The same research report highlighted top areas where organizations are still cyber-risk challenged and could improve:
Spreadsheets. The majority of organizations (73%) still depend on spreadsheets for data analytics.
Asset awareness and visibility. Nearly three-quarters (73%) of organizations have strong awareness of less than 80% of their assets, and nearly one-third (32%) use at least 11 different databases, systems and tools for security asset management.
Prioritize risk reduction. Just over two-thirds (68%) of organizations find it difficult to prioritize actions that can have the biggest impact on risk reduction.
Asset ownership. More than half (56%) of organizations find it difficult to determine asset ownership when a vulnerability or misconfiguration is discovered.
Business criticality of assets. More than half (56%) of organizations struggle to understand which assets are business-critical.
For organizations to better manage cyber-risk, they need a continuous view of all assets, vulnerabilities and attack surfaces, along with an understanding of which assets are business-critical and whether or not those assets are secure. Process automation is also essential to improving threat prevention and operational efficiency, especially with the pressure on businesses to increase productivity and scale.
The need for managing cyber-risk will continue to evolve over time, especially with new regulatory compliance mandates and the use of AI. I'm looking forward to digging further into this in my next research project on cyber-risk management. I'm interested in hearing about how you are meeting the challenges of risk management IT, so feel free to reach out.
David Vance is a senior analyst covering risk and vulnerability management for TechTarget's Enterprise Strategy Group. He has more than 25 years of IT and cybersecurity experience helping clients be more successful in the market.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.
