Strategising cybersecurity: Why a risk-based approach is key

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Adham Etoom, Director of Policy and Compliance, National Cybersecurity Center of Jordan; Co-Chair of Jordan Chapter & Advisor, FAIR Institute

• Cybercrime is predicted to cost the global economy nearly $24 trillion by 2027.
• The cyber-risk landscape is ever-evolving — and businesses must continually adapt to it or risk financial, reputational or legal repercussions.
• A risk-based approach to cybersecurity gauges and evaluates the risk landscape, allowing leadership to evaluate and prioritise the most pressing challenges at a given time.

By 2027, cybercrime could cost the global economy nearly $24 trillion. Businesses often find themselves at the sharp end of this challenge, and, as such, cybersecurity is a critical aspect of the modern business landscape. Cyber threats are multiplying and pose serious financial, legal and reputational challenges to organizations.

Modern and effective cybersecurity management entails more than managing technology risk; it encompasses managing business risk. Organizations must recognise cybersecurity as a strategic imperative integrated into their overall risk management framework — and this can be done at the board level.

Boards can set an organization’s risk appetite, oversee risk management processes, allocate resources and ensure preparedness to respond to cyber threats. They can ensure accurate and timely reporting from management on risks and incidents as part of their broader role in managing risk.

A risk-based approach to cybersecurity

Senior and executive management must understand that organizations can adopt two main approaches to enhance cybersecurity: maturity-based and risk-based.

Organizations widely use the maturity-based approach to enhance their cybersecurity posture. It involves adopting a set of industry-established best practices or standards to achieve a higher level of cybersecurity maturity. It does, however, have limitations.

It relies heavily on subjective assessments that can be influenced by factors such as communication skills, bias and experience of the assessor. Also, achieving a specific level of maturity does not guarantee protection from cyber threats and may create a false sense of security. The maturity-based approach may not adequately address an organization’s unique risk profile, leaving them vulnerable to targeted attacks. It can be resource-intensive, diverting resources from other cybersecurity activities.

The risk-based approach to cybersecurity is flexible and customisable to meet an organization’s specific needs and risks. It emphasises the identification and prioritisation of the most critical cybersecurity risks, followed by the application of controls to mitigate them. This approach involves continuous monitoring and reassessment to ensure that controls remain effective and relevant in the face of ever-evolving cyber threats.

It is effective because it allows organizations to align their cybersecurity strategy with their unique risk profile, enabling them to focus on the most significant threats and vulnerabilities. This approach also promotes a proactive cybersecurity culture by continuously evaluating and addressing risks, minimising the impact of cyber incidents. As a result, organizations can make informed decisions about where to allocate their cybersecurity resources and prioritise cybersecurity efforts based on their most critical assets and vulnerabilities.

Creating a quantified risk grid

Organizations can use risk quantification methodologies such as quantitative risk analysis and Monte Carlo simulation (i.e. FAIR Model) to measure the potential impact of cyber risks and prioritize risk mitigation efforts.

By incorporating cyber risk quantification into their risk-based approach to cybersecurity, organizations can better understand their cybersecurity risks, prioritise resources and make informed decisions about risk management. This can help them achieve more effective and efficient enterprise-risk management, ultimately improving cybersecurity outcomes.

Quantified cyber risk can be applied in real-life situations to assign a financial value to potential losses from cybersecurity incidents. This helps organizations manage their digital assets and prioritise risk mitigation efforts. It involves evaluating threats and vulnerabilities, and assessing the financial impact of incidents on productivity, legality, reputation and recovery.

Quantified cyber risk enables business leaders to make informed decisions about cybersecurity investments and take proactive measures against cyber threats.

Measuring outcomes and taking action

Key Risk Indicators (KRI) provide a snapshot of the current risk level of the enterprise. At the same time, Key Performance Indicators (KPI) indicate the direction towards or away from an enterprise’s risk-appetite level. By linking KRIs to KPIs, cybersecurity teams can help executives engage in constructive discussions to identify which risks are within acceptable levels and which require immediate attention. This enables informed decision-making and effective problem-solving at the board level and below.

The risk-based approach is interactive and helps to translate executive decisions about risk reduction into control implementation, ensuring an organization is aligned and working towards a common goal. By implementing controls in a coordinated and strategic way, companies can manage risks more effectively and achieve their desired outcomes.

To implement the risk-based approach successfully, organizations should adopt a comprehensive roadmap that includes conducting a thorough risk assessment, developing KRIs and KPIs that align with their objectives and risk appetite, establishing robust risk management processes and continuously monitoring and evaluating their cybersecurity posture. Technology is crucial in automating and streamlining risk management processes, implementing security controls and tracking KRIs and KPIs in real-time.

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

• Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training to a new generation of cybersecurity experts.
• The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• The Forum has improved cyber resilience in aviation while working with Deloitte and more than 50 other companies and international organizations.
• The Forum is developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Organizations must continuously reassess their cybersecurity strategy as the threat landscape evolves. The maturity-based approach is no longer effective in protecting against modern cyber threats. A risk-based approach helps identify and prioritise risks, meaning a more efficient and effective cybersecurity programme. Investments in employee education and training, and effective risk management, can build a strong security posture that protects assets, reputation and customers from cyber-attacks.

Adopting a risk-based cybersecurity model also confers benefits beyond simply preventing cyber-attacks. It builds resilience and agility, and this method of continuously assessing and adapting makes for more streamlined and competitive organizations more generally.

Cybersecurity is a shared responsibility that requires collaboration from all stakeholders to safeguard organizations. The risk-based approach results in more effective and efficient enterprise-risk management and builds stronger and more secure organizations capable of responding to an evolving cyber risk landscape.

Widespread adoption of the risk-based approach would not only preserve organizations’ reputation, customers and stakeholders — it would create a safer digital ecosystem for all.