In the cyberspace realm, security is a relatively new concept; risk management has been ingrained in business for much longer than security considerations have. But they both serve a similar goal, and theoretically should be seen as complementary partners in the effort to stave off cyber threats.
Instead, observers point out how they are regarded unequally within a business, having starkly different tool sets. With conflicting views and two ways to go about solving a problem, is it any wonder when challenges arise?
Let us have a look at each concept in more detail, before we dig into why they’re often not seen as symbiotic partners working towards the same vision.
What Does Cyber Security Bring to the Table?
Cyber security aims to maintain the CIA (confidentiality, integrity, and availability) of an entity’s data, digital assets for day-to-day operations, and defend against cyber threats. It’s achieved by implementing technologies and processes, whilst educating employees on daily best practices to prevent unauthorised access to systems.
The chosen strategy is usually based on some analysis of known threats and their modus operandi. The security team will decide which specific software and actions (e.g. firewalls, access controls, encryption certificates) are suitable at an enterprise level, to protect assets.
What Does Cyber-Risk Bring to the Table?
Cyber-risk is a subsection of operational risk, and is a broader task than cyber security, by definition. The cyber-risk management team has to consider moving parts in a bigger context. The team might analyse the current cyber-threat landscape (see how CTI could assist here), and the potential impact of cyber incidents on an entity’s operations, reputation, and financial health.
The goal in cyber-risk management is to evaluate that projected impact and manage/mitigate risks accordingly by prioritising the various risks based on their significance. Several strategies are usually created to suit each risk In turn, various stakeholders are roped in; governance and compliance departments might play a role, and incident-response and monitoring teams another. Even junior employees often contribute to cyber-risk management in some way, such as through training.
The Relationship Rift
At first glance, cyber security and cyber-risk seem like they’d work in sync. Cyber-risk management suggestions ultimately improve cyber-security measures, and when the security team implements them, they can provide feedback that strengthens the entity’s view of its risk and security. If this happens each time the entity undergoes a risk-management exercise, it’s a well-oiled machine, right? Not to everyone.
Cyber security and cyber-risk management are perceived differently within a company, creating friction when it comes to their mission of improving an entity’s cyber posture. In simple terms, the cyber-security function is valuable to the entity by protecting its assets, but its activities wouldn’t be categorised as revenue generating.
Cyber-risk management, on the other hand is lauded as a path to alleviating negative outcomes of threat exposure, which carries weight with investors. When an investor sees strong cyber-risk management processes, they are reassured that those processes tie together the entity’s goals and strategic competencies – a strong sell for an investor. More investments enable better business opportunities, that lead to a competitive advantage… you get the picture.
Can Cyber Security Claim More?
The fact is, when cyber-risk teams try to improve an entity’s security posture, their actions are welcomed a little more than cyber-security activity. So, how would security teams operate if seen in the same light as risk management (instead just another IT function)? Might they be allocated a higher budget? Would their decisions carry more weight? These possibilities are worth a reflection and are the subject of our next blog. Stay tuned.