Cyber Risks - What every startup needs to know about risk management
Every company with all its intent wants to perform "risk management" but either is intimated by the cumbersomeness of the process or might not be fully educated to conduct risk audits for its organization. More organizations will be happy to perform risk management, the moment the process is well understood and made simpler for them.
Risk management is primarily a tool to reduce your exposure, cut your losses and most importantly increase your resilience quotient. The ability to control or avoid ALL risks, in reality, is quite a task and that is exactly why the ability to bounce back quickly in the face of an adversity matters a lot.
Traditional Cyber Risk Management
The traditional risk management is highly robust. They also are feared and less desired due to "perceived" process overheads. Few medium to large companies with dedicated resources within the focus area of governance, risk and compliance perform regular risk assessments. Even within those companies, the follow-up on action items catalogued would be an eye-opener.
Let us examine a broad layout the available frameworks - identify, analyze, respond/manage, monitor and reporting. When we closely examine this landscape of risk management, the most challenging is "identifying" what constitutes as a risk. A typical company has various core and non-core functions and it might not be intuitive for every company to articulate clearly all the risks it faces. Once they are identified, they can be stacked, value assigned to it, responded or controlled. But the most critical step is to identify.
Square peg in a round hole
Startups move very fast, planning to execution can get completed in a day. That is precisely, how start-ups need to function. Complicated or even seemingly complicated processes become a significant threshold to cross over for small and growing businesses. This agility combined with the challenges presented above leads us to a reasonable conclusion that the risk management technique for small businesses and start-ups need to be tweaked a lot and cannot be used as-is in its present form.
Risk analysis, risk assessment, risk treatment, risk management are some of the several jargons used in several Risk frameworks. They sound quite similar to each other and can stump even seasoned practitioners, when caught off-guard. Don't get us wrong, we are not against any risk management framework, in fact on the contrary, we recommend them for bigger organizations. All we are saying is that smaller and more agile organizations need something a little different.
Most importantly, risk management in the space of cybersecurity, unfortunately, has been reduced to just "technical" risks. As per the Gartner survey, an overwhelming percentage of Board of Directors considered cybersecurity as a "Business Risk". In other words, every aspect of a company, financial, legal and business decisions made everyday have a direct impact on cybersecurity and vice versa. This is the most critical aspect missing in Board discussions.
Looking at the problems listed above, a possible framework that can possibly help should be a) simple; b) should help companies direct their energies towards risks rather make them than would a framework which provides more incisive questions or pinpointed action items to look into be more helpful; c) should consider all aspects of business, rather than only technology. Let us give an example, when a CFO needs to allocate budget for security, there is usually a huge amount of friction between CISO and CFO, because there is huge gap between the vast number of threats that the CISO is expected to protect versus the minuscule budget that the CFO has in mind. The assets of the highest value and the business functions that bring in the most revenue need to be protected the most. Identifying these and combining with the threats faced by these assets and functions should most likely make both parties converge faster.
A simple list of manageable dimensions to look at the cyber risks to be managed by an organization. Armed with a specific list from each of the primary functions - financial, business (operations), legal and technical, every organization should be amply equipped to handle the risks. This methodology provides direct and specific indicators in each function to make the necessary assessment. For example, within Finance, it looks how much money was spent the previous quarter and what kind of risks were expected to be guarded against. While it would be near absurd to look at a return on this investment, the closest expected return can be in the form of zero or near zero incidents.
All said and done, we do not want to pretend that all of this is very straight-forward in real world. It is indeed pretty inexplicably complex but we need a starting point which covers all bases. It is important to also highlight in same vein the list of parameters will be fine-tuned over multiple iterations working closely with organizations that find this model valuable.
It's time for us to mention that our CyberRISK4BoardTM 2.0 will be launched in the next few weeks! Do not miss the opportunity to participate in it.