Institute Cyber Resilience and Prepare for the Future
After completing this unit, you’ll be able to:
- Identify recommended board priorities for cyber issues.
- Use the WEF risk assessment framework.
- Identify areas of concern for future cyber resilience.
- Implement practices for boards to prepare for cyber resilience.
The Purpose of the Framework
You asked the right questions and got the information you need. Now it’s time to put a plan in place to deliver the right amount of cyber resilience oversight.
The right framework can make risk identification and evaluation easier. With the right framework, boards and leadership can understand and evaluate the following.
- Current risk tolerance/appetite
- Cyber risks that the organization faces
- Suggested risk management actions and costs
Can You Handle the Risk?
Every organization is unique when it comes to risk and how much it’s willing to take on. Risks increase or decrease over time. Are there strategic events on the horizon that can impact risk? Is the current risk appetite sustainable? The key is to find the right balance between benefits and the risk your organization can tolerate.
Do You Know the Risks?
To determine risk tolerance, you must know the risks and understand their implications. These include financial, legal, operational, regulatory, and reputation risks. Some risks are more probable than others, but you should take all risks seriously. You can identify risks through comprehensive reviews in all areas of the organization.
The leaders of mission control ensure the right testing and analysis occurs to prepare the organization for what lies ahead.
So, What Frameworks Are Out There?
Even though cybersecurity is a young field, there are several risk-assessment frameworks to choose from. The WEF has reviewed these frameworks and developed one specifically for boards. The WEF framework supports high-level discussions to validate identified cyber risks, while measuring the probability and impact of these risks.
The WEF framework helps boards identify the assets at risk, the impact to the organization should the risk occur, the most vulnerable areas, and possible threats. More information on this framework can be found in the Board Cyber Risk Framework section of Advancing Cyber Resilience: Principles and Tools for Boards.
Where the Risks Lie
The board and leadership team can work through four primary steps to achieve the overall risk picture for the organization.
Step 1: Evaluate Assets to Determine Which Have the Greatest Risk
Step 2: Predict Losses If Identified Risks Occur
Step 3: Spot the Threats That Exist or Could Develop
Step 4: Identify the Vulnerabilities in the Organization—People, Process, and Infrastructure
Outside Influences to Consider
Boards must also look outside the organization. External areas often play significant roles in cyber risks including political action, merger and acquisition activities, and new methods of cyber attacks. Changes in business models and business activities can lead to new threats. It’s important to monitor these areas and remain ready to respond.
Actions to Take
How likely is it that one of the risks you identified will occur? What’s the impact and how will the organization handle it? What actions must you take to manage these risks? Each risk should have an action plan. There are four primary types of actions.
- Institute stronger people controls
- Establish consistent procedural controls
- Test and confirm technical controls
- Send the risk or cost elsewhere
- Accept certain risks as part of the cost of doing business
- Avoid risks outside the organization’s risk tolerance
Understand that all actions have associated costs. Determine if the actions you take get results and encourage cyber resilience.
The Future Awaits
We know that the future holds amazing things. We are in the Fourth Industrial Revolution, which brings new opportunities, business shifts, and emerging markets. Using simple guidelines, your board can prepare for what’s to come and protect your organization.
Guidelines for Emerging Technology Oversight
- Stay aware of emerging technology
- Include cyber resilience in all initiatives and in the business lifecycle
- Maintain an acceptable level of security
- Understand and manage cyber risk associated with vendors and partners
- Make data privacy a priority
- Maintain the highest ethical standards
- Look for ways to improve
- Develop the ability to adapt quickly
The leaders of mission control always look ahead, searching for risks and preparing the organization to make the most of opportunities.
It’s a Whole New World
Technology can take us to places never imagined. Our devices can sync with and talk to one another, and they can access and interpret an ongoing feed of information. We’re all affected by the progress occurring every day. With each new discovery, we uncover new markets, business models, and hidden risks.
We must cooperate to make the most of innovation and opportunity. Partnership means private enterprise and public entities sharing their expertise. Working together, we can all adapt to face challenges and expose new horizons.
This takes leadership—people who are willing to seize the opportunity, and embrace the responsibility, to promote cyber resilience.
Sum It Up
Continuous improvement, foresight, and cooperation are the keys to success in this brave new world. Boards and leadership must roll up their sleeves and get involved to make sure their organization has the right strategy in place.
The tools we’ve shared in this module are a starting point. Use these tools. Improve upon them. Share them with others. It is only through partnership and cooperation that we can embrace new opportunities and uncover a world beyond our imagination.
Interested in exploring more cybersecurity-related information? Check out the Cybersecurity Learning Hub on Trailhead.