Geetha is an IT Governance, IT security, IT risk management and IT professional with over twenty-five years’ experience. She has offered consulting, implementation, and advisory services to various organisations in the banking, telecom, health care, manufacturing, government, and insurance sectors while working for a largest Indian IT software company. She is a regular on-site trainer for conducting training through ISACA HQ for certification exam like CRISC and CISA for various multinationals for the last 5 years. She is a Global volunteer with ISACA Global.
The Changing threat landscape:
The threat landscape is evolving rapidly, with an increase in highly organized and capable cyber criminals executing sustained attacks targeted on industrial systems. These attacks are known as advanced persistent threats (APTs). Originally these attackers’ targeted governments, but recent data indicates that APTs are now targeting private sector organisations with a goal of grabbing proprietary data and intellectual property. There is a steady increase in online cybercrime as there is an exchange of money and information online.
The ever-changing technology landscape with the expanding digital footprint adds complexity for the technology leaders, CISOs, CIOs and IT teams, calling for an agile approach to risk management.
Risk Management approach in the changing threat landscape:
Cybersecurity risk management is an ongoing process of identifying, analysing, evaluating, and addressing your organisation’s cybersecurity threats.
Cybersecurity risk management isn’t simply the job of the security team; everyone in the organisation has a role to play. Often siloed, employees and business unit leaders view risk management from their business function. Unfortunately, they lack the holistic perspective necessary to address risk in a comprehensive and consistent manner throughout the organisation.
So, who should own what part of cybersecurity risk? The answer is everyone should share full ownership and responsibility. Effectively managing cybersecurity risk requires all functions to operate with clearly defined roles and tasked with specific responsibilities.
Cyber Risk Challenges:
The challenge faced by organisations today is to take pre-emptive action in dealing with threats. It is not just the financial or reputational loss that is the concern but the danger that firms can go bust after enduring the consequences of the breaches.
Some of the cyber risk challenges are
Limited visibility: Most security professionals have limited visibility about the various attacks (e.g., ransomware and phishing attacks). They must be aware of solutions that can spot an array of cyber threats and offer better visibility of risks.
Prioritizing cyber risks: Organisations never seem to have sufficient resources or budget to manage cyber risk in real-time. Prioritization must be tied to key business objectives and considered against a credible danger-versus-resources assessment.
Ransomware: Ransomware attacks are rising daily, and business leaders and IT professionals need to have a robust recovery strategy against such attacks to protect their business.
Cloud hosting risks: Organisations are relocating their classified data to the cloud from legacy data centres, because of the cost and flexibility involved. Shifting data to the cloud requires putting appropriate configuration and security procedures in place. Security leaders must challenge their teams on their preparation and capability to supervise and act in response to threats in the cloud.
Resources and skills shortage: Most organisations lack sufficient cybersecurity personnel. This skill shortage has been exacerbated by the pandemic as the network graph has broadened to include at-home laptops and other remote access points.
Perpetually evolving risks: Polymorphic malware is dangerous, damaging computer software such as with a virus, worm, or spyware. Organisations must consider adding an additional layer of protection, on top of the antivirus tool to proactively pinpoint malware.
Internet of Things (IoT) network: Cyberattacks will grow if billions of hackable smart devices are attached to an IoT network. The IoT devices market is not yet standardized and therefore not obligated to fulfil certain security requirements.
Traditional Approach vs Agile approach to IT & Cyber Risk Management
The traditional approach to cyber risk offered organisations more control over how systems are being used and the ability to see where and how data is regulated.
But today’s continuously advancing threat landscape means organisations face the challenge of eradicating millions of possible vulnerabilities that could provide an entry point for fraudsters. This requires an agile approach that involves the following:
Defining risk in the cyber security framework: Defining the boundaries of what signifies risk must go beyond simply evaluating the likelihood of an event taking place. It also must assess the scale of impact to the business should the event occur.
Determining the scale, criticality, and outcomes of risk: Assessing the scale of impact based on an organisation’s operating environment. Making practical judgements based on the criticality and outcomes of an event taking place in a specific environment. Cyber risk experts should have the ability to quickly rate and prioritize organisational weaknesses to generate actionable risk scores.
Data-driven approach to cyber risk: A modern data-driven approach to manage vulnerability is needed that allows security teams to assess risk.
An agile risk management strategy calls for a holistic approach spanning across people, processes and technology and can be far more effective than a static one. The approach of continuously repairing and recovering from breaches must become more pre-emptive where detection and prevention is strengthened to block the attackers and weaken their goals or targets. Cyber risk as a business priority has grown significantly in recent years with companies increasingly allocating more funds towards combating cyber threats. An agile security architecture that quickly, automatically learns and adapts to all new challenges as they emerge will help businesses move more fluidly, allowing companies to rapidly adopt new technologies and emerging usage models, while continuing to provide dependable security in an ever-evolving threat landscape.