top of page
  • Lia Tsur

Business people from Mars, Tech people from Venus - The challenge of cyber risk management

The transition from the old world to the new world is a daily challenge both to the IT team and the business team, such as: transitioning to cloud base as a condition of existence of the organization, or implementation of new technology for which protection systems and controls have not yet been adapted, etc.

The technologists want (and need) to catch up with technology, to use the most futuristic technology today, just as business professionals want to bring the most innovative and cool product to their world. They have something in common, they don't understand much about cybersecurity. Sometimes they lack the knowledge, and other times they just pretend not to understand. Why? Because often, understanding the cyber risks, means stopping the race towards progress, which is what they definitely do not want (and rightly so). On the other hand, the director of the organization's cyber protection, aka CISO, sits right in front of them, and of course, wants the organization to succeed and be innovative as well. However, the CISO is also well familiar with information and cyber security. Here, my dear readers, the holy trinity is created: technology, business, and cyber, when the Holy Spirit in the form of the board and management hovers between all and tries to synchronize.

How do you walk hand in hand on the golden path? On the one hand, you allow the business to move forward, and on the other hand, you make sure that the organization is not attacked? Or, if attacked (and this is the assumption that should be made 24/7/365), how would you make sure the organization continues to function?

The starting point: no one comes to work to do a bad job. Everybody wants to do a good job. The point is that there is a lack of understanding, and the risk managing is that bridge.

It's not about the phishing it's all about the business

The point of view must be reversed. No more risk management in order not to be hacked or for regulation purposes, but rather business management! Because, if the server doesn't work, or the software process fails and the systems don't work, there will be no business! The organizational "vibe" that needs to be instilled is that security is here for the business and not the other way around. Information security units who don't allow employees to work properly, are doing a bad job. Good information security units should come up with solutions to protect the organization while enabling employees to work as usual. For example, hiring a full-time employee to perform a PT (penetration tests), releasing the "rein" from the business and the technology sides.

Don't reinvent the wheel

Risk management, with its many derivatives, has been a well-known and managed field for many years. The management and the board of directors know how to speak it and are used to the way it is presented and accessible. The problem started when the new kid on the block arrived, with a somewhat different character traits (tech savvy, less so in business): the cyber risk. And he tries to explain technology to non-technology people. It just doesn't work.

The business people from Mars, The technology people from Venus

In order to successfully communicate the new risk, the cyber risk must be spoken in the language of business processes: heat maps, terminology, and methodology identical to that of the operational risks. You must present the cyber risk as a part of the holistic picture of all the organization risks. Just imagine a director getting a presentation by the information security person, showing all gaps in the cyber survey have been closed. And in another meeting, the risk manager comes and presents high gaps in the risk survey. It's frustrating, it's confusing and most importantly: it hurts the organization's risk management effectiveness.

Presenting the organization a risk profile using a heat map over the quarters, for example, can assist the CISO to explain the big picture and then dive in to have a "zoom in" analysis. This way it is possible to reflect the change in the cyber risk as a function of the business changes (external and internal). Example 1: In case of a war in the Ukraine in Q2, if we have employees/suppliers there, the risk will then increase since the probability of an attack will have increased, the probability of the internal treat materializing will have increased, etc. (see risk 1 in diagram #1). Example 2: If we make a decision to move to a cloud base in the 4th quarter, the risk will no longer be low. The risk remains high for the transition time until we stabilize it since the authorization management is still unstable and there still isn't any monitoring regarding authorization, etc. (see risk 2 in diagram #2).

Simplicity is the queen of risk presentation. The ability to know what information to present in which forum, is an essential art. Part of this art is keeping the amount and level of information best suited to the ability and capability of the other party to acquire it.

Cyber risk management

The cyber risk management strategy should be measurable and quantifiable, with clear KRI's. This way we can present the development and the progress of the organization's protection. Just imagine the organization's protection level is a number, measured and presented through a clear diagram of the protection level. For example, the organization was at protection level 7 and went up to protection level 7.5 or God forbid went down to protection level 5. The innovation in this methodology is that the explanation for the decrease or increase in the level of protection will be through business matters as opposed to technological ones. By defining scoring methodology for each risk, and associating the risk with the appropriate organization unit, the organization units will be measured by their cyber risks, which will enable to present to the management and board of directors, a management dashboard with the organization's cyber risk map according to the organizational units.

In addition, joining forces between all risk managers/controllers/cyber security personnel and presenting one holistic picture of all risks on the same scale, as well as the same risk appetite, will also attribute to the understanding of the risk.

This is how we will translate the weaknesses and the cyber risks in the technological dimension into business terms and associate them with the business processes. We will also identify whether the risk interferes with the company's strategic plan to penetrate a certain market, or interferes/prevents the company from expanding with existing products, etc.

Written by Lia Tsur, CEO of LT RiSKMGMT, which provides boutique consulting & training risk management. LT RiSKMGMT specializes in operational risk management, fraud and embezzlement prevention, Business Continuity plan, and cyber risk management in the business processes.



bottom of page