Suits The C-Suite

We regularly hear and read about hacks, security breaches and similar cybersecurity incidents that expose vulnerabilities in corporate and government digital security systems. The reality is that most companies and organizations lack the internal cybersecurity expertise and capability to combat external threats, which lead them to seek external solutions.

While this may be necessary, effective cybersecurity efforts should be anchored on a clear digital risk management strategy, as discussed in a recent EY article, “Making digital risk management strategic.” Digital risk management is the next stage in enterprise risk and security for companies and entities that are incorporating digital processes and technologies into their business. It includes new and unexpected challenges that may arise as a result of digital transformation. Digital risk is a business and not a technology issue, making it a C-suite level concern instead of just an IT matter.

Organizations need to take on a holistic approach when creating a digital risk management strategy, one that supports risk-based decisions and improved cybersecurity that reduces costs related to managing security risk. This approach considers the entire organization’s digital assets and relationships since some vulnerabilities can come from the most unlikely of sources. An example would be an incident where the customer information of a local remittance company was leaked through a data breach on a separate system used for marketing purposes.

The latest EY Global Information Security Survey showed that 37% of organizations stated they would not be able to detect a sophisticated system breach, despite 53% of respondents claiming that they increased their cybersecurity budgets in prior years. This paints a bleak picture, although the situation may be due to the blurring of organizational boundaries resulting from the emergence of more interconnected devices. With the “Internet of Things” (IoT), or the increased connectivity between systems and the growing online presence of many organizations, any company may become a potential victim.

Addressing these risks requires a combination of strategic elements such as identifying risks; monitoring and predicting potential cyber threats; having a ready response protocol to any incidents; and a plan to restore operations. These are considerations that all organizations, regardless of size, need to consider within the limits of their financial and human capital resources. Whether it is a large organization or a smaller one with fewer resources, the key to building an effective digital risk management strategy lies in a few significant steps.

Organizations need to actively and thoroughly review their existing processes, digital platform and operations to identify areas where risks can be minimized or addressed early on.

One example of taking bold steps to implement a digital risk management strategy was undertaken by the Singapore Ministry of Defence (MINDEF) in 2018. The government agency decided to invite about 300 ethical (or white hat) hackers from around the world to a first-ever bug bounty event. The challenge was to attempt to hack into the agency’s internet connected system to find vulnerabilities and be rewarded for finding vulnerabilities.

This innovative action helped generate nearly 100 vulnerability reports, 35% of which were considered valid security vulnerabilities that the government agency addressed immediately. While this may have been a first for a government agency, it has actually become a common practice for some multinational entities. They now hire white hat hackers to test their security systems for flaws and vulnerabilities by replicating the tactics, techniques, tools and procedures that a malicious hacker would utilize in an actual cyberattack.

Companies need to quantify their risk appetite and identify the digital operations that require greater resources, competencies and capabilities to protect. These are usually the most vital operations such as infrastructure, cloud applications, managed operations or security services. Organizations also need to consider investing in intelligent technology solutions that can automate the process of monitoring and managing digital assets that are most at risk or have the greatest impact on operations.

There has been a trend for larger organizations to move their digital risk management and cybersecurity functions outside of traditional IT or technology departments and put them directly under the oversight of top management. This highlights the reality that cybersecurity and digital risk management are larger business issues and not simply IT problems.

Organizations should prepare an incident response plan ahead of time and undertake drills and practices to ensure that all stakeholders know what to do in the event of a breach. This plan, naturally, needs to be one that is continually studied and enhanced as threats evolve.

Following the initial response to any breach and the measures taken to minimize the damage, companies should have contingency plans in place to restore business-as-usual operations in the shortest time possible while also managing any operational and reputational damage that may occur.

As with most programs, people are both the first line of defense and often the greatest point of vulnerability. The EY survey found that 34% of organizations consider careless and untrained employees as their greatest vulnerability. Based on our experience, about one out of five employees fall victim to social engineering techniques in the campaigns we conducted for our clients. This is the reason why organizations need to ensure that all their people are adequately trained in a cyber resilient risk culture.

People, in this context, refer to more than just employees. They also include the people engaged by an organization’s vendors, third-party stakeholders and internal/external systems providers. Cyber-savvy organizations need to ascertain that proper access controls, policies and technologies are in place to reduce possible unauthorized access to vital systems or confidential data.

A thorough evaluation of the cybersecurity knowledge, exposure and competencies of an organization’s people can also help identify possible human single-point-of-failures, which can significantly hamper an organization’s response time and effectivity in case of a breach. For example, say a breach happens and the cyber-security team swings into action. Part of their containment solution is to block all access to vital databases, but before they can do so, permission from the CIO is required. If for some reason the CIO cannot be readily contacted, it would cause a delay in implementing the security protocols.

In the digital environment and ecosystem we operate in today, cyber threats will continue to exist and will constantly evolve to present new risks. Some analysts believe that a breach is inevitable for any organization.

However, what matters is how the organization will respond to such an incident. Hopefully, it will be carried out with an agile, scalable, well-designed digital risk management strategy that integrates processes, systems, people and technical competence into a holistic cyber defense system.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.


Nathaniel F. Dizon is an Advisory Manager of SGV & Co.