Managing cyber risk is crucial for the security and stability of any organisation. This guide aims to provide a straightforward explanation for non-technical leadership on how to define and respond to cyber risks effectively. By understanding the roles of leadership and IT, and adopting principles like Zero Trust, your organisation can better protect its assets and maintain resilience against cyber threats. This approach ensures clear communication between management and IT, aligns strategic objectives with operational capabilities, and leverages a multi-faceted response to manage risks that cannot be mitigated through technical controls alone.
Leadership sets the rules and guidelines for cybersecurity. They create a security plan that outlines how to protect company assets. This includes deciding on the principles to follow, such as Zero Trust, which involves least privileged access, assuming breaches, and verifying everything.
IT is responsible for ensuring these rules are followed. They put the plan into action by setting up systems, monitoring activity, and responding to threats. IT ensures that the security measures are in place and working as intended. They also inform leadership about any areas they cannot protect effectively, making leadership aware of potential vulnerabilities.
- Leadership is like the governing council of the castle who decide the security rules. They might say, "Only certain people can enter specific rooms (least privileged access), we should always be prepared for an attack (assume breach), and everyone must show their ID at every checkpoint (verify everything)."
- The IT team is like the guards and builders who follow the governing council’s rules. They build high walls, set up checkpoints, and monitor who enters and leaves the castle. They ensure that only authorised people can access specific areas and that everyone’s identity is checked thoroughly. Additionally, they report back to leadership about any areas of the castle that cannot be adequately protected, ensuring that leadership is informed of these risks.
- We need to consider that bad actors can be both within and outside the castle. These bad actors can only be distinguished by the effect of their actions. Policy is about creating a "profile" that makes it easier for all stakeholders (including IT) to separate legitimate and illegitimate use.
Only give employees access to the information and resources they absolutely need to do their jobs. For example, just like a guard only has access to certain parts of the castle, an employee should only have access to files relevant to their role.
Always operate under the assumption that a breach has already occurred. This means being constantly vigilant and prepared for potential threats, similar to how a castle is always on alert for an attack.
Every access request, transaction, and interaction should be verified and validated, just as every visitor to the castle must show their ID at multiple checkpoints.
Managing cyber security risk involves a multi-faceted approach, combining management policy, IT configuration, and responding to risks through various means.
Leadership sets the strategic direction and policies for cybersecurity, ensuring that there are clear guidelines and objectives for protecting company assets.
IT implements and maintains the technical controls and configurations necessary to enforce these policies. They ensure that systems are secure and report any limitations to leadership.
When IT identifies risks that cannot be mitigated with technical controls alone, leadership can respond in several ways:
- Renegotiate contracts with suppliers to transfer or mitigate the risk. This ensures that suppliers adhere to the same security standards and share the responsibility.
- Obtain cyber insurance to provide financial protection against specific cyber risks. This can cover losses from data breaches, business interruption, and other cyber threats.
- In some cases, leadership may decide to accept the risk if it is deemed low enough not to warrant further action or if mitigation options are not feasible.
Using the castle metaphor and detailing the roles of leadership and IT helps illustrate that leadership’s role is to set the rules and policies for cybersecurity, while IT’s role is to implement these policies and report any limitations. When IT cannot address certain risks with technical controls alone, leadership should respond by renegotiating contracts to transfer the risk, obtaining insurance to cover potential losses, or accepting the risk if it is manageable.
Managing cyber security risk is a comprehensive effort involving policy, technical configuration, supplier management, insurance, and risk acceptance. This guide aims to help non-technical leadership understand their role in cybersecurity and the benefits of a structured approach to managing cyber risk.
By embracing these principles, organisations can better protect their assets and ensure a robust defence against cyber threats. This cohesive strategy ensures clear communication between management and IT, aligns strategic objectives with operational capabilities, and leverages a multi-faceted response to safeguard against potential vulnerabilities.