Risk Management December 12, 2019
By Connor Lyons 3 min read

Aspiring to have the best cyber and information security capabilities is probably not the main goal for most organizations. An airline’s primary aim, for example, is to ensure that passengers are safely transported from point A to point B. The priority for an oil and gas company is to extract and refine sources of energy to be sold. Neither exist to only protect servers and IT infrastructure.

The Changing Cyberthreat Landscape

Even so, cybersecurity has become a critical issue across all industries to assist in achieving those key missions and must be discussed at the board level. This is partly due to an increase in regulations across different jurisdictions, defining how data and information assets must be protected and used. In addition, interconnected systems, emerging technologies such as the internet of things (IoT) and the migration to cloud-based services pose significant cybersecurity challenges. The cyberthreat landscape is rapidly changing and expanding, which exposes a new set of risks to organizations irrespective of the industry.

Grow Your Business With Cyber Risk Management

Enter cybersecurity risk management — the process of capturing, analyzing and prioritizing an organization’s top cyber risks. A risk is an uncertain event that has not yet occurred. It is assessed based on the likelihood of a threat occurring versus the adverse impact should it actually occur. The output of this calculation is known as the residual risk.

The implementation of an effective risk management framework provides a platform for IT security teams to log their cyber risks across the organization and prioritize them by comparing each of their residual risk scores. Notable industry practice frameworks that can be adopted include ISO27001 and NIST’s Cybersecurity Framework. Cyber risk management frameworks are particularly useful if your organization is split into multiple operating companies or if you need to assess cyber risks associated with third-party suppliers.

Once your cyber risks have been defined and analyzed, they can be reported to your organization’s chief information security officer (CISO) or similar security leader before integrating them into an enterprise-level risk management discussion. A committee that oversees an enterprise’s risk management process may compile risks gathered from all departments across the organization before presenting the top overall risks to the CEO.

Implement a Cyber Risk Management Framework

There are three recommended steps to successfully implement a mature cyber risk management framework:

  1. Complete a due diligence assessment to establish the existing enterprise risk management framework, including a review of the metrics that are used by an organization to measure adverse impacts should a threat occur. Impact areas to assess include safety, operational, reputational and financial.
  2. Adopt a cybersecurity framework that is aligned with an industry standard and create a manual risk reporting tool. This tool should include an active risk register that outlines the controls, tolerances and risk scores — namely, inherent, residual and target risk scores. It should also include a risk scoring matrix that aligns with the one used at an enterprise risk management level, to be used as a way of measuring likelihood versus impact.
  3. Automate this process through the procurement or development of a risk management solution to define, collect and analyze cyber risks. The solution should provide the capability to include cyber risk visualizations, dashboards and heat maps to illustrate the risk profile. These illustrations should mirror or relate to those produced at the enterprise risk management level so that cyber risks can be seamlessly integrated and compared alongside the overall risks to the business.

Manage Cyber Risks to Protect Your Organization

The implementation of cyber risk management ensures that risks are considered and mitigated where necessary to protect the organization without losing sight of primary business goals or blocking any digital transformation and innovation projects. Through this process, companies can build a cyber risk profile and compare it to the business risks facing the organization. Lastly, risk management can assist with making investment decisions and act as an audit trail that the organization can hand over as part of meeting regulatory requirements.

Learn More about IT Risk Management Services
 |  |  |  |  |  |  |  |  |  | 
Connor Lyons
IBM Security Consultant

More from Risk Management
September 26, 2023

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

September 25, 2023

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

September 21, 2023

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

September 20, 2023

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature