Digital Risk Management Essentials

Part 1: Cybersecurity

Introduction

Its been some time since my last Tony's Phish and Chips newsletter. Truth is, I've been busy. Ive been constructing a game-changer when it comes to digital risk management, hoping to solve issues such as cyber security and privacy risks, but also consider other risks such as AI risk, digital risks and other emerging risks.

To this effect, last week I launched Novera, an advisory firm focused exclusively on managing digital risks from cyber, AI and privacy, risks which aren't going away anytime soon. I know there is a dire and critical need for businesses to access sensible, pragmatic and expert advice to help them manage these risks and thats what Novera is all about. If you would like to follow the Novera Linkedin page, please visit https://www.dhirubhai.net/company/noveraconsulting/.

This newsletter is Part 1 of a three-part series on Digital Risk Management - brought to you by Novera. In this Edition, we will talk about Risk Management and then focus on Cyber risk.

Risk Management

Why its simple ... and hard as well.

Structured approaches to risk management and risk governance are essential for modern organisations to be able to manage the veritable minefield of digital risks that exists in the world today. When speaking with the C-suite and boards, it often dawns on business decision makers just how complex the risk environment is when it comes to digital risks.

One of the errors that people in my industry make is to describe technology risks in ways that describes the damage that can result from a risk eventuality - in ways which are not relatable to decision makers. For example, a common statement used when explaining cyber risk is that 'if your business gets breached, your clients information may be stolen and you might be fined by the regulator'.

Now... sure, there is a risk of this happening. However, any risk eventuality and harm resulting from that happening pale in comparison when you consider things such as reputation risk, shareholder risk, revenue and expense risks, hidden liabilities etc on the operations of the business, and the myriad of risk outcomes which will significantly hurt the business financially and operationally should they eventate.

Pragmatic Risk Management using the 52 Risks Framework

A free tool which I have found really useful to better characterise what digital risks look like for organisations is to transpose the threat eventualities onto a framework such as the 52 Risks? framework, created by risk management guru extraordinaire Peter Deans .

I cannot recommend enough for organisations to adopt a risk management mindset and strategy, one which makes the board and senior management accountable for risk outcomes. It goes without saying that organisations that. manage risks well will inherently manage digital risks well. And while setting up an overarching risk management framework for an organisation that includes digital risks is reasonably straightforward (and simple!) its the governance around upholding and enforcing that risk management long term that's difficult. Too often, when push comes to shove, businesses devolve into a 'she'll be right' attitude to risk management. And that's where things become unstuck...

Cybersecurity Risk

Cybersecurity risk covers the gamut of potential for harm, loss, damage, or disruption to an organisation’s systems, data, and operations due to information security threats and risks. These risks arise from any one or a combination of malicious attacks, system vulnerabilities, human errors, or inadequate security controls.

Effective cybersecurity risk management helps businesses protect their assets, maintain trust, and comply with regulatory requirements.

Cyber Risk is worse than its ever been.

Cybersecurity threats aren't going anywhere. Pick up any official report on the incidence of cyber breaches and cyber incidents and you'll note that the numbers are pointing upwards, not downwards. Worse still, these risks continue to evolve, with businesses facing risks such as social engineering, phishing, ransomware, malware, insider risks and supply chain risks.

Steps to Cyber Risk Management success

What can you do to implement some basic cybersecurity risk management? Here is a very useful primer on how to manage cyber risk at the strategic level:

1. Start with a Discovery Exercise: many organisations have never undertaken risk management of any type (cyber or not) in a formal capacity. Hence, if your organisation wants to know where to start, a discovery exercise is the first step. A discovery exercise is a structured process used to identify, assess, and document potential risks within an organisation. It serves as a foundational step in understanding the organisation’s exposure to nominated risks. This exercise helps business leaders and risk professionals gain visibility into their digital risk landscape and prioritise key areas for mitigation.
2. Conduct a Risk Assessment: following the discovery exercise, consider a structured risk assessment aligned with ISO/IEC 27001, NIST Cybersecurity Framework, or ASD Essential Eight, depending on your organisations context. This can help organisations identify critical assets and sensitive data, map potential cyber risks; and assess likelihood and impact of threats.
3. Establish a Risk Management Framework: ISO/IEC 31000 provides a standards based approach to risk management. While the standard itself may be onerous for smaller business, principles from this standard are useful for any sized organisations. Noting this, organisations should develop a risk management framework that defines risk tolerance and mitigation strategies; establishes roles and responsibilities for cybersecurity; and implements a regime of regular security reviews and audits.
4. Strengthen Security Controls: Security controls may need to be strengthened across people, process and technology realms. Some of the areas that should be considered include Multi-Factor Authentication (MFA) to reduce the risk of unauthorised access; encryption to protect sensitive data from exposure; regular patching and updates to prevent exploitation of known vulnerabilities and security awareness training to educate employees on common threats.
5. Monitor and Respond to Threats: we often say that its not if, but when. As such, having a well-defined Incident Response Plan (IRP) will ensure rapid detection and response to cyber incidents. Organisations should implement real-time security monitoring and threat intelligence, conduct regular incident response exercises and establish clear communication and reporting processes as part of this.
6. Ensure Compliance and Governance: it goes without saying that often, risk management requirements are dictated by an organisations need to comply with one or a number of standards. In fact, in my experience, compliance is the number 1 reason why organisations will want to uplift their cyber resilience (number 2 is straight after a breach!). Hence, regularly reviewing compliance with applicable standards like ISO/IEC 27001, APRA CPS-230 / CPS-234 and other regulatory requirements such as GDPR or CCPA needs ensures adherence to best practices and regulatory requirements.

Get Ready for Part 2 - Privacy Risks

The next edition of Tony's Phish and Chips will discuss privacy risks and some of the practical steps you can consider in managing an old but ever-changing risk which continues to bring organisations unstuck - that of Privacy Risk.

Until them, feel free to comment, share and subscribe!

Thanks for reading!