Trishneet Arora is the Founder and CEO of TAC Security, a San Francisco-based Cybersecurity and Risk & Vulnerability Management Company.
Getty
Mature organizations typically include a risk management function to look at and address risks to their continuing operations. Traditional enterprise risk management (ERM) considers risk vectors like strategy, operations, financial risk and compliance.
The digital transformation that has occurred means organizations now need to consider technical risk, including cyber risk, in their ERM programs. It's a natural evolution of traditional risk management into the digital space, given how dependent most organizations are on the digital systems used to conduct business and store data on customers and employees.
Why It Matters
Deloitte's research report in this emerging ERM area was conducted on behalf of the Committee of Sponsoring Organizations of the Treadway Commission, a group of professional organizations that provide guidance and certification to finance, accounting and audit professionals on ERM. It concluded that organizations should embed cyber risk management into their ERM programs at the highest levels and that "a business-as-usual approach to cyber risk management is ... bound to result in catastrophic damage for stakeholders."
Organizations are now dependent on digital systems more than ever — from web and mobile applications used for customer transactions to supply chain systems that exchange data with organizations via automated program interfaces (APIs) to personal identification information (PII) stored on customers and employees.
Business applications are written in code that typically contains vulnerabilities, sometimes because teams that develop apps may not use secure software development processes. Also, vendor code is shipped with vulnerabilities, and many applications include open-source modules that are rife with known vulnerabilities.
Another frequent point of attack for cybercriminals is the supply chain interfaces. This could be third-party software that an organization relies on to process transactions or store customer data. When this data is transferred between organizations, it is often on well-known digital pathways that hackers can access as well.
Cyber Risk Mitigation
Security teams have their hands full trying to address all of the attack vectors that cybercriminals use. Establishing control systems and processes for security hygiene is a starting place. Well-established frameworks like NIST and CIS have been in place for years, and most organizations with mature security processes have adopted some version of these to provide control structures for managing cyber risk.
For example, the CIS critical controls framework has broken its security controls into groups to help organizations address some of the basics like knowing what's on your network (asset inventory), protecting sensitive data, restricting and monitoring access and changes and continuously managing vulnerabilities across the entire IT stack (infrastructure and applications). Organizations with mature security practices will add to the basic controls processed for monitoring external threats to include in their continuous monitoring.
One thing that is still evolving for cyber risk management is how the risk is aggregated and enumerated for communication. Because there are many disparate tools and systems for managing security, organizations often struggle with how to communicate clearly on the level of cyber risk across the various attack vectors.
Natural evolution is the creation of a single cyber risk score, which aggregates cyber risk assessment into one number that clearly communicates today's cyber risk level. This risk metric is easy to understand and communicate across the organization, and it can enable non-technical executes to align their departments and address risks quickly.
Implementing A Cyber Risk Score
If your existing vulnerability management tool doesn't incorporate a cyber risk score, it's possible to integrate your security tools with a risk-based vulnerability management tool that can give you visibility and a cyber risk score.
From my experience, one of the major challenges with a risk-based vulnerability management tool is it doesn't customize according to the customer's requirement, and it doesn't pull data in a timely manner from scanning tools. In addition, risk-based vulnerability tools can have a difficult time handling the data of 100,000 assets at one time.
Every company demands customization in any tool it uses so it can have better visibility in the entire organization from top to bottom.
Conclusion
Managing cyber risk is an essential element to an organization's overall risk management strategy in the digital age. The security process and tools exist, and most mature organizations are using them to understand and mitigate cyber risk. However, I believe security leaders should consider using a cyber risk score in order to enable their peers by providing a clearer picture of risk.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.