Table of Content:
Enterprise Cyber Risk Management
Risk management is a concept that has been around for many years, though we have seen a complete evolution of operational risk over the past 10 years. A specific area that has evolved more than others is cyber risk. A number of big changes have taken place globally, impacting the list of top operational risks that threaten businesses today. One of those big changes is the dependency on technology which has grown by thousands of percent, where almost every single business is susceptible to a cyber-attack. As a result, organizations are now seeing cyber risk as the number one operational risk, one attack could cripple a business.
Covid-19 has expedited the global digital transformation, cutting what was expected to take 10 more years into 10 months. This has in turn led to an increase of over 750% in attempted attacks in 2020 alone. The dependency on technology creates a catch 22, one in which we are trying to constantly advance our businesses and operationalize it using technology, but in parallel creating new risks and attack vectors to bad actors.
The History of Enterprise Cyber Risk Management
Enterprise cyber risk management starts as early as the 1990s, when spreadsheets, a very manual but effective tool at the time, were the primary tool for risk management, as the data was still quite static and the sources that fed the risk assessments were relatively simple.
The years passed and the GRC industry began to blossom, this led to a group of solution’s meant to address the issue but were very expensive, hard to manage and far from automating risk management. The GRC tools did surpass the spreadsheets, but not by much.
Fast forward 10 years and the amount of data to be consumed in a risk assessment grew exponentially, as the risks and threats were expanding by the day. Some of the scorecarding tools that came out in between 2010-2020 tried to predict risks automatically, without addressing internal workflows, control monitoring and all of the internal risks the organization needs to address. This left the GRC space completely underserved.
How a Manual Risk Assessment Works Today
Risk assessments begin with identifying the organizational assets we are trying to assess, prioritizing those assets and then choosing a framework or standard which we will use to quantify the risk exposure. Once we have chosen that framework, we will now begin a process of learning the framework, creating questions and surveys, manually distributing the questionnaires to participants through mails, phone calls and sometimes in person, all to validate if the controls are in fact in place and properly implemented.
Once the data is all in, now begins the analysis of the results, trying to convert the data into a quantifiable and measurable output, then creating a mitigation and remediation plan and overseeing the implementation of that plan. All of that has to happen while keeping an eye on new risks evolving outside the organization, especially in the cyber world where yesterday's truth may be tomorrow’s lie.
Doing this complex and tedious process in a spreadsheet is virtually impossible today, and even with the existing GRC solutions it is extremely manual and painful. There are multiple sources of data that need to be standardized and calculated subjectively, inevitably leading to a partial and very inaccurate result.
To summarize, admin tasks around conducting a risk assessment alone will take up the majority of the risk managers’ time, leaving very little time for fixing the problems, closing gaps and mitigating risks. So, now is about the time where you ask “what’s the solution?” great question! The answer is simple - introducing automation in risk management is the only way to win here. We need to arm small teams with very powerful and effective tools to orchestrate and automate cyber risk management.
Risk Assessment Automation
There is no silver bullet here. There is no “click a button” and get a risk score. I like starting with the hard truth. Large banks use teams of tens of people and lots of money to address this problem, while the mid-market has a far greater challenge because they are required to meet the same risk and regulatory requirements with teams of two or three people and much lower budgets.
Risk assessments for the foreseeable future will still require people to administer and manage them, but automation is the key to arming those small teams with virtual big guns called “Automation”. Replacing teams with automated risk assessments will relieve you of having people doing manual, repetitive and inefficient tasks and processes. In addition, there is a huge gap in the enterprise risk management tool space today, whereby the external threats to the organization are completely ignored in the internal processes, and the majority of time is spent on just administrating and building up these assessments.
Through automation you can now get off-the-shelf frameworks that are ready to be deployed in minutes and not weeks and months, where the solution itself can help you collect part of the data automatically from your network tools, while correlating validation of controls and add additional layers of external threat intelligence. Once the data is collected, the platform can automatically provide you with scores, reports and visualization of the risks, as well as actionable next steps on how to remediate and mitigate the gaps. Through automation you can save 90% of the time spent today, and focus that time on the improvement of your cyber defenses.
Automated Vendor Risk Assessments
Vendor risk assessments is another area which has gained a tremendous amount of visibility, in particular since the SolarWinds attack has become public. This attack has brought to the top of mind a well-known challenge for enterprise risk management. Vendors and supply-chain are a direct attack vector into the organization, and as mentioned earlier, we have never been more dependent on technology, which very often is a third-party vendor or supplier. The third parties are now an integral part of our core business and our supply chain, holding some of our most sensitive data and most protected IP.
Here too, automating vendor risk assessments is now highly achievable through some of the latest solutions that are included in integrated risk management platforms. Automating the collection and analysis of vendor information including both self-attestation by vendors, together with external threat intelligence, can provide you the most complete vendor risk profile. These profiles need to take into account both the impact and probability of an attack to truly prioritize and lower the chances of being breached. Part of the challenge here is that many organizations ask their vendors to conduct a vendor risk assessment, which creates a lot of redundant work. Automated vendor risk assessments is a critical piece in saving you and your vendor time and money while filling out a risk assessment for you.
Automation in risk management is the key to enterprises protecting themselves in the modern business environment. The earlier you embrace this approach, the better you ready yourself for a future with less cyber risk exposure and better business performance.