Smarter cybersecurity risk management strategy

As businesses reach new levels of digitization, enabled by faster connectivity, the use of data offers a significant opportunity to better monitor, analyze, predict, and mitigate risk. However, the same assets present new vulnerabilities for cyber threat actors to exploit, making the protection of data, and the systems that process, transfer, and store it, crucial.

Cybersecurity is now listed as one of the top priorities globally, according to the latest Annual Global CEO Survey by PwC, sitting only behind the pandemic in terms of extreme concerns. So cybersecurity risk management strategy should no longer be seen as a concern solely for the CTO and IT Director, it needs to be on the agenda with every supply chain and technical director too.

A predictive approach to risk assurance

Data has the potential to transform risk management and resilience. The right data, analysis and reporting tools can help to establish where future risk is more likely to occur, and where it isn’t, enabling resource to be focused on areas where the greatest value is at stake. Using these metrics can also help to avoid emotional bias in decision making: the risks that we assume are greater are not always those that require the closest monitoring.

If a component or technique can be shown to be more at risk of failure, it may not make sense to inspect or audit in the same, schedule-driven way. Equally, more efficient methods can be devised for lower-risk areas, freeing up resources to focus on and assure the higher-risk activities. An experienced digital assurance partner will be able to offer consultancy on what data to monitor and how to analyse and act on it.

The need for cohesive digital transformation

The opportunity offered by digital transformation is significant, but experience tells us that implementation can be challenging and, if approached in a piecemeal way, it is unlikely to deliver the right impact. A 2020 study revealed that of the digital upgrades put in place at the start of the pandemic, 59% required short-term fixes to solve issues that arose from rushed deployment. This might have been avoided had assurance and risk mitigation been better integrated into the change management process.

A common mistake is to take a tech-driven approach, deploying technology for technology’s sake. Critically, the starting point for organizations seeking to digitize their operations and risk assurance programs must be the problems that they want to solve, not the technology or data source they feel is missing. This requires a cohesive digital assurance strategy that includes the right blend of people, process, and technology.

Supply chain data and cybersecurity risk

Growing digitization and data flows increase the potential vulnerabilities which might be exploited by malicious threat actors. Suppliers are a vital source of data for any company wishing to obtain a complete picture of its operations and quality assurance, but this digital supply chain also needs cybersecurity assurance. Organizations need to be aware not just of their own cybersecurity risk management strategy, but of the potential of cyber threats arising when assessing the supply chain.

In the last few years, we have seen a shift in the cyber threat landscape with ransomware, not only doubling in frequency to count for 10% of all breaches, but increasingly being targeted at supply chains through sleeper ransomware. These attacks not only gain privileges on the host network, but also see how the whole ecosystem can be impacted. The global nature of supply chains increases the potential impact of these attacks, increasing the importance of risk assessment in cybersecurity.

Towards continuous monitoring

In this environment, traditional audits and an annual cybersecurity risk assessment are no longer adequate. They only provide a snapshot of systems at one moment in time and do not take into account new vulnerabilities or changes to the system required in the interim.

Similarly, in the past, many organizations have chosen to transfer their cybersecurity risk management to an insurance provider. However, the volume and sophistication of cyberattacks has pushed up premiums, so insurers are increasingly requiring organizations to proactively mitigate against risks to remain covered. Investment in robust assurance can even reduce the cost of the insurance policy.

One solution to both of these issues is Continuous Controls Monitoring. This allows organizations to track, in real-time, the data needed for a cybersecurity risk assessment, including that obtained from suppliers. Threat intelligence platforms and dashboards can facilitate a continuous and proactive monitoring approach.

Collaborative, real-time assurance

Taking a collaborative approach with suppliers and specialists can help an organization make great strides in developing a smarter approach to risk assurance and in establishing the appropriate information assurance in cybersecurity.

The requirement for certification against global management system standards, such as ISO 27001, and the right to audit and assess IT security is part of many contractual agreements. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is also gaining ground as a global standard that takes into account the need to look at the controls of suppliers. This provides mutual advantage to both parties, with procurers helping to educate and upskill suppliers, increasing competency and resilience throughout the chain. The shift to digital assurance and a continuous model of monitoring also has the potential to reduce the need for any cost and disruption created by unnecessary in-person inspections when auditing the supply chain.

As decisions are made around suppliers, new product development, and growth into new geographies and territories, cybersecurity must form part of the discussion. Cybersecurity risk management must form part of a robust and continuous assurance strategy - not just a checkpoint to be met at the initial onboarding stage.

Conclusion

As industry digitizes, the need for smarter, real-time assurance against both traditional risks and cyber threats grows. All of this points towards the need to integrate cyber resilience into digital risk assurance programs in a way that is tailored to the business, addressing the threats you are aware of and taking account of the ones that you aren’t. Continuous and collaborative monitoring of operational data and information security, vulnerabilities, and threats has the potential to better mitigate risk, drive efficiency and facilitate more informed decision making.