3 Strategies to Strengthen Enterprise Cybersecurity Risk Management

In March 2023, the Biden-⁠Harris Administration announced the National Cybersecurity Strategy1 (“Strategy”). The Strategy sets forth numerous ideas aimed at strengthening cybersecurity throughout the United States and building a more secure, defensible, and trustworthy digital ecosystem through “public-private collaboration”. This document is important for private sector organizations because it reiterates why they (along with public organizations) must implement stronger controls to manage cybersecurity risk.

Regulators are also prioritizing cybersecurity and expecting organizations to do the same. The U.S. SEC, for example, has started enforcing rules to ensure that U.S. public companies improve their cybersecurity safeguards and annually disclose material information2 about their “cybersecurity risk management, strategy, and governance”. Companies must not only manage their cybersecurity risks to satisfy regulators and governments, but truly understand and manage these risks to protect themselves. Keeping up with the cybersecurity threat landscape is no small feat for enterprises. Its constant evolution makes them vulnerable to numerous threats, including malware, ransomware, SQL injections, zero-day exploits, insider threats, and supply chain attacks, to name a few. These threats, if realized, can compromise their business-critical systems, disrupt their operations, affect their revenues and profitability, and damage their reputations and competitiveness.

A successful attack can also create numerous legal and regulatory problems, including fines, penalties, and settlements. The recent cases of Didi Global3, Equifax4, Amazon5, and Instagram6 perfectly demonstrate the possible scale and impact of such problems. More importantly, they are all cautionary tales that show why emphasize the importance of proactive cybersecurity risk management.

What is Cybersecurity Risk?

According to the NIST7, cybersecurity risk is “an effect of uncertainty on or within information and technology”. It is the probability of loss that an organization may suffer due to a successful cyberattack or data breach, and is frequently represented by this simple formula:

Cybersecurity risk = Threat x Vulnerability x Consequence

Why Organizations Should Understand Their Cybersecurity Risk

To minimize the harm from an attack and minimize the probability of the attack itself, it’s critical for enterprise security leaders to understand and manage their cybersecurity risk. This begins with understanding the relationship between vulnerabilities, threats, and consequences.
Risk management involves identifying, prioritizing, managing, mitigating, and monitoring cyber risks. This ongoing and iterative process helps to reduce the likelihood and impact of cyberattacks. It enables organizations to:

1. implement stronger controls to protect critical assets from attacks and breaches
2. avoid implementing ineffective and expensive controls, or controls that adversely affect business efficiency or productivity
3. determine strategies and tactics to respond to potential risks
4. prioritize the most important risks based on the potential likelihood and impact
5. take appropriate risk decisions based on risk priority

3 Strategies for Effective Cybersecurity Risk Management

It’s not always easy to understand cyber risk. It’s even harder to anticipate and manage those risks. And it’s probably the hardest to avoid the “capability trap” – a situation where organizational processes deteriorate due to cybersecurity blind spots. The following 3 strategies can help. By implementing these strategies, organizations can improve risk management and ultimately, strengthen their security posture.

1. Prioritize active defense
According to the Identity Theft Resource Center (ITRC)’s 2023 Business Impact Report8, 73% of small businesses experienced data breaches or cyberattacks in 2023. Furthermore, 26% of organizations suffered losses of between $250K and $500K due to cybercrime. Large organizations also continue to remain vulnerable to cyberattacks. One 2023 report9 found that nearly all of them (97%) have seen an increase in cyberthreats in recent years. Both large and small organizations are also increasingly vulnerable to ransomware attacks. In 202310, 1 in every 10 organizations worldwide was hit by an attempted ransomware attack, a 33% surge from 2022.
Considering these realities, a modern organization’s cybersecurity risk preparation needs to go beyond perimeter defenses. The threat environment is constantly changing and expanding, and to effectively respond to those threats, companies must adopt what McKinsey11 calls an “active-defense model”.
This model includes leveraging threat intelligence, analytics, decoys, and ring architectures to proactively:

1. identify security risks
2. anticipate attacks
3. protect critical assets
4. and respond to threats in real-time

To access these capabilities without appreciably increasing cybersecurity costs, McKinsey recommends “engaging outside resources and forging information-sharing partnerships”. By doing so, companies can respond more effectively to even advanced and sophisticated cyberthreats.

2. Monitor the performance of the cyber risk management program

As mentioned above, most organizations operate in an ever-evolving cyber risk landscape. Companies themselves are highly dynamic, constantly adding new processes, technologies, and people to meet evolving market and customer demands. To keep up with these changes, an updated cybersecurity risk management program is essential. And to ensure that the program remains updated and effective, monitoring its performance is vital.

Monitoring the cyber risk management program enables organizations to monitor their security controls, which in turn allows them to verify:

1. the controls remain effective in an evolving (and perhaps, expanding) threat landscape
   and
2. that they consistently satisfy relevant regulatory requirements.

Performance monitoring is also essential to improve risk-related decision-making. With the help of management reporting dashboards, cyber event exercises, and actionable cybersecurity metrics, top leaders and boards can take appropriate action to:

1. Build stronger lines of defense
2. Optimize cybersecurity budgets and resources
3. Fine-tune cybersecurity and make it what EY12 calls “a key enabler of growth” and what HBR13 calls a “strategic business enabler”

3. Align cyber risk management with business needs and goals
Every company has different business priorities, needs, goals, and strategies. Cyber risk management must be aligned with these aspects to be effective and to generate high returns on investment. Ensuring proper alignment also helps them to avoid costly cybersecurity mistakes that simply increase cost without substantially strengthening their risk management program or security posture.

To achieve this alignment, every risk must be “framed” in the context in which the organization will make risk decisions. Risk framing, according to NIST14, is “the set of assumptions, constraints, risk tolerances, and priorities/trade-offs that shape an organization’s approach for managing risk”. It requires cyber risk managers to:

1. define the scope of the cyber risk management process
2. create an asset inventory and prioritize assets by business criticality
3. identify the budget and resources that will be assigned for cybersecurity risk management
4. identify the regulations and laws the company must comply with

Alignment between cyber risk management and the business also requires:

1. clarifying the company’s risk tolerance (the kinds of risks it can and cannot accept) and
2. creating a common risk “language” for the entire organization
3. make cyber risk management and cyber resilience a board-level priority15

Conclusion

Modern organizations need cybersecurity risk management to keep threats at bay, and to ensure business continuity, competitiveness, and financial stability. With the right technologies and services, they can streamline cybersecurity risk management and stay resilient against cyberattacks. These include Penetration Testing as a Service (PTaaS), Automated Pentesting (APT), and Red Teaming as a Service (RTaaS).

About BreachLock

BreachLock is a global leader offering human-delivered, AI-powered, and automated solutions for Attack Surface Management (ASM), Penetration Testing as a Service (PTaaS), Automated Pentesting (APT), and Red Teaming as a Service (RTaaS). Collectively, these solutions go beyond providing an attacker’s view of common vulnerabilities and exposures to provide enterprises with evidence-based risk across their entire attack surface to determine how they will respond to an attack.

Know Your Risk. Accelerate risk prioritization and remediation accuracy across the entire security ecosystem with BreachLock.