New to Cyber Security Risk Management? Start by answering these questions

By Ivanka Menken, CEO The Art of Service

When it comes to Cyber Security, we often don’t know what we don’t know. The rules of the game are changing faster than ever before and the type of cyber attacks are more creative these days. That’s why it is important to take stock on a regular basis to identify gaps in our processes and procedures.

Don’t stop there though – in addition to checking your technical skills and how they compare to the requirements for present-day Cyber Security Risk Management, you can also have gaps in generic understanding of what Cyber Security means to the organization and its individual stakeholders.

Every organization requires different levels of Cyber Security Risk Management which means that it is never a ‘one-size-fits-all’ approach.

Align with business objectives

Before we even begin to research the specific Cyber Security Risk Management approaches we need to look internally first. Ask yourself what the business objectives are that are to be achieved with Cyber Security Risk Management?

Did you identify these business objectives? Perhaps there is a revenue target that can be achieved through Cyber Security Risk Management. Try to think about this not just from a protective/defensive point of view but open your mind to the opportunity for additional revenue that may potentially present itself through the implementation of Cyber Security Risk Management. It may be your competitive advantage or your unique selling point?

Risk Management

When managing risks you always check two parts of the equation:

1. What is the likelihood of a risk happening?
2. What is the impact on the business when this risk does happen?

Ask these two questions for every risk you identify and you can easily prioritize risk mitigation strategies.

Taking this approach to Cyber Security means that also need to check the business objectives that are to be protected by the implementation of Cyber Security. In other words, what are the specific cybersecurity risks that have been identified and what is the potential impact on the business objectives should one of these risks become a reality.

Risk Management goes beyond the technical teams. You also need to ask yourself how much sponsors, customers, partners, and other stakeholders are involved in Cyber Security Risk Management.

In many cases, a cybersecurity breach will have a major impact on the business and if the stakeholders are not on board with the processes and procedures that were originally created, the heated argument can quickly turn into mud slinging and accusations.

Have all your stakeholders involved from the start so that everybody is aware of the rationale behind the processes and procedures that we use as part of Cyber Security Risk Management. Give stakeholders the opportunity to provide input and feedback along the way so that the end result is carried across all areas of the business. At the very least inform or consult all stakeholders during the process so that nobody can plead ignorance when an attack happens and the risk management strategies didn’t quite work as planned.

Cyber Security Risk Management processes don’t just cover preventative actions. You also need to be prepared for corrective actions. In other words, how do you manage the risks if cybersecurity risk management does not deliver successfully?

Privacy and personally identifiable information

You also need to ask yourself if your company collect personally identifiable information electronically. (That is information that could be linked to a specific person)

If this is the case you not only have to manage cybersecurity in general, but you may also be subject to the GDPR compliance regulation which comes into effect on the 25th of May 2018.

GDPR is all about privacy protection and personal data and to make sure this personal data is protected from outside attacks.

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

What types of privacy data does the GDPR protect?

● Basic identity information such as name, address and ID numbers
● Web data such as location, IP address, cookie data, and RFID tags
● Health and genetic data
● Biometric data
● Racial or ethnic data
● Political opinions
● Sexual orientation

Does your company collect personally identifiable information electronically? If so, you may have to seriously look at your Cyber Security processes and procedures. Especially the ones around the management and storage of private data. Every company that does business with a person in the EU is potentially subject to GDPR regulations and noncompliance can be very expensive with fines of up to 4% of your global revenue.

Value chain approach to cybersecurity

Everything in business seems to be connected and with that in mind, it would be naive to approach Cyber Security Risk Management as an internal project only. We need to take into consideration our partners, suppliers, and other third parties. Including, but not limited to, SaaS providers and Cloud Storage providers like AWS.

Basically, ask yourself the question if we are specifically expressing Cybersecurity requirements to our partners, suppliers and other third parties?

What safeguards do you want to have in place, and what can you do to mitigate the risk for your organization when a cyber attack happens to one of your suppliers or cloud-based partners?

Is there a clause in the contract in relation to Cyber Security and Data Privacy? Do you have any leverage with your partners or suppliers to make them improve their own Cyber Security policies and procedures? Who do you need to talk to to get a better understanding of this potential risk?

Finally, think about the people you identified for your Cyber Security Risk Management project and the project responsibilities you would assign to them. What kind of training do you think they would need to perform these responsibilities effectively?

Once you’ve answered these questions and acted upon the results, you’re well on your way to implement a solid Cyber Security Strategy in your business.

About the Author

Ivanka Menken, CEO The Art of Service, author of Cyber Security Risk Management Self Assessment Guide.
Ivanka Menken is a serial entrepreneur and the owner and Co-Founder of The Art of Service since 2000. Ivanka specializes in creating organizations that manage their services in a sustainable and customer-driven manner. With 20+ years of management consultancy experience and an education degree, Ivanka has been instrumental in many organizational change management projects in The Netherlands, USA, Canada, New Zealand and Australia for both government agencies and private corporations. Ivanka beliefs that education and training are at the foundation of every successful enterprise. Ivanka has been a guest lecturer for a number of Queensland universities on the subject of IT Service Management and Organisational Change Management and proudly featured as one of “Australia’s 50 Influential Women Entrepreneurs” in 2016.
While running The Art of Service, Ivanka authored a number of publications on IT Service Management, Cloud Computing, and Customer Service. She also completed her Entrepreneurial Masters Program at MIT and served on the board as the second ever female President of the local Entrepreneur’s Organization chapter.
Link to Cyber Security Risk Management Self Assessment book: https://store.theartofservice.com/cyber-security-risk-management-mastering-integration/