We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Cyber-Threat Management Requires a Risk-Based Approach

Vote 0 Votes

The concept of cyberattacks, while still disturbing, is no longer as new and unfamiliar as it was five years ago. However, we are still seeing money invested in inefficient and ineffective risk mitigation responses. All the major corporations that have suffered breaches had sophisticated control solutions in place. Even so, their risk exposure was significant in known but uncovered areas, all thanks to poor risk management.

Companies are buying and implementing point solutions despite not understanding their unique risks. Without a risk-based approach, they cannot identify and close the gaps. Even though cyber threats have been around for a few years, the link between risk cause and its chosen mitigation has not been well understood. As a result, companies are still learning how to craft effectiverisk assessment activities that result in cost-efficient as well as effective risk mitigation and monitoring activities.

regulatory organizations targeting cybersecurity risk managementSuccessful risk mitigation strategies have a common element. They are built upon best-practice risk identification and assessment, which should occur beforeattempts at solutions or mitigations are made.

A dilemma results: how to continue detecting and neutralizing these risks without wasting an unnecessary amount of time and money on reactionary mitigation controls? The answer is straightforward: use a common risk management platform that has a centralized library of all risks, cyber and otherwise, and organizes them with a standardized taxonomy. A risk taxonomy also makes it easy to assess these risks using a consistent scale and set of standards that are linked to your control environment to facilitate gap analysis and remediation.

Why companies should change their approach to cyber-risk mitigation

The Wall Street Journal published the results of a survey that took an in-depth look at how financial institutions are attempting to reduce fraud risk.

53% of such organizations had implemented at least ten systems designed to detect finance-related crimes. 31% had implemented more than 20, meaning only 16% of organizations have fewer than ten unique systems in place.

The conclusion: The number of monitoring systems in place does not correlate with the effectiveness of the risk management program, nor does it reflect the complexity or needs of the host organization. The WSJ report concluded that as the number of systems increases, so too does the difficulty of getting an accurate read on what is happening within a network. More than half of respondents reported that a major challenge is unifying and consolidating these risk mitigation efforts. Since regulators are zeroing in on risks within processes and the links between risk and control, financial organizations have more motivation to make investigations transparent, consistent, and connected.

The process of managing complexity and facilitating obligatory investigations is made straightforward with a risk-based approach linking risks to mitigation activities. Such a system standardizes processes, increases responsiveness to regulator's inquiries, and provides evidence of effective management of risks related to financial crime and compliance.

To read more about managing cybersecurity with a risk-based approach, download our annotated guide to SEC cybersecurity compliance.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives