News & Media

Translating Cyber-Threats into Business Risks

Tweet about this on TwitterShare on LinkedIn13Share on Facebook0Share on Google+0Email this to someone

First Published in the Infosec Euorpe 2016 Official Event Guide……………

Piers Wilson, Head of Product Management, Huntsman Security, says that aside from the relentless barrage of cyber-attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with efforts to keep these threats at bay.

There is great potential for things to get lost in translation when cyber-threats and remedies for protecting the organisation are communicated with non-security professionals. The IT security department might jump to “red alert” as a result of a user opening a malware-bearing email attachment, whereas most people in the business won’t make the connection between opening the attachment and the level of cyber risk involved.

Well-publicised breaches at Target, Ashley Madison, The US Federal Office of Personnel Management (OPM) and TalkTalk show that it is much easier to raise awareness if you define risks in everyday terms. A £10 million fine, a tarnished reputation or lost customers is far more impactful to business leaders and frontline staff than general references to “non-compliance” or data leaks.

The magnitude of the impact of these breaches is catapulting cybersecurity right up the business risk register, but there is still work to do. Ponemon research found that board members are increasingly aware of cybersecurity, but lack an understanding of the issues, which must limit their ability to evaluate situations and respond appropriately. The US NACD found that directors are dissatisfied with the information and clarity of cyber risk information they are given. This must be rectified before cyber-threats can be tackled effectively.

Tell Them Why They Should Care

One challenge in bridging the communication gap is that cyber-threats mean different things to different people and invariably impact different elements of the business. The implications of specific threats or non-compliance can be unclear to senior managers for whom business objectives, deliverables and the bottom-line are more pressing. If the link between a cyber-threat and its ramifications are not clear, risks to the wider business can be obscure. To change this, security professionals must translate cyber-threats into business risks; presenting each part of the business with understandable and relevant information. This means stating not what the threat is, but providing intelligent metrics for cyber-risk. These metrics should clearly show what assets are at risk, how business activities could be impacted, the likelihood and the consequences if the worst happens. Impacts must be tuned to the specific mandate of the individuals – a CFO will be more concerned with financial impacts than a CEO who would focus on reputational and strategic impacts.

For example, if you tell a Sales Manager that the organisation needs to invest to rectify some non-compliances with PCI-DSS standards, they are likely to view it as a technical issue to be delegated and resolved. If, however, you explain that the business could end up unable to accept card payments until the issues are resolved, there is a good chance of gaining business traction. Similarly, ransomware may not concern the business and C-suite any more than any other form of malware or data loss – unless it is made clear that this risk is worsened by previous lack of investment in comprehensive data backups and resilience.

Turn Everyone Into a Cyber-Risk Sentinel

Aside from dealing with the difficulty of translating between technical and business issues, there is a need for greater collaboration in the security and compliance processes. There are more useful ways to approach compliance than seeing it as an annual tick-box activity. It must become a continuous, real-time process; with inbuilt quality improvement. Businesses need intelligent metrics for cyber-risk that show live, up-to-date security and compliance status of key systems and processes. This enables instant identification of problems and allows them to be dealt with before they become serious. Becoming fluent in risk means information is presented in a common and meaningful language across the business, so its importance is clear to everyone.

Ultimately, cybersecurity is not just an IT concern. It is a business-critical issue with ramifications for everyone. The only way to tackle threats effectively is to turn everyone into a business cyber-risk sentinel, so they understand risks relevant to their own role or part of the business. This means continuous security and compliance monitoring and familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through “testing and adjusting” of policy and compliance settings.

This collaborative approach will decrease the risk that a business will be hit by a damaging breach or a costly fine; but it also reduces the risk of cyber-threats to the business being lost in translation.

« Back to Huntsman News & Media Articles