Most organizations will already be taking steps to assess and manage their cyber security risk. However it is worth considering what the driver is for that activity. Often, organizations conduct risk management exercises for ‘compliance’ reasons, which could include:

• obligations from external pressures (such as regulatory requirements)

• customers’ demands

• legal constraints

When done for these reasons, there is a danger of risk management becoming a tick-box exercise. This can lead to organizations believing they have managed a risk, when in reality they have merely complied with a process which may have (albeit unintended) negative consequences.

Compliance and security are not the same thing. They may overlap, but compliance with common security standards can coexist with, and mask, very weak security practices. Good risk management should go beyond just compliance. Good risk management should give insight into the health of your organization and identify opportunities and potential issues.

Many of your organizational risks will have a cyber component to them. Cyber security risk should therefore be integrated with your organizational approach to risk management. Dealing with cyber security risk as a standalone topic (or considering it simply in terms of ‘IT risk’) will make it hard for you to recognize the wider implications of those cyber security risks, or to consider all the other organizational risks that will have an impact on cyber security.

The role of cyber security should be to support and enable the business, and it should do this by managing its risks without blocking essential activities, or slowing things down, or making the cost of doing business disproportionately expensive.

It can be difficult to measure the success of your organization’s cyber security efforts. A typical output of good cyber security is the absence of a failure, which can be hard to measure, and since cyber security is still a relatively new field there aren’t yet many established metrics to draw on.

It is common for risk assessments to deliver some kind of assessment level, be that high medium low, or a number, and so it could be tempting to use this as a performance metric for your cyber security efforts. However, they are a poor metric of your internal security efforts as they are influenced by external factors that are outside of your control - factors which change extremely rapidly. New vulnerabilities are being discovered every day and the number of actors seeking to use cyber means to achieve their aims is increasing.

Driving performance through reduction of a number associated with the cyber security risk will likely incentivize risk assessors and reviewers to underestimate the risks, leading to less informed decisions.

Similar ‘good practice’ risk management principles will apply for managing cyber risk as they would for managing any other organizational risk. However there are two things to bear in mind.

First, solutions and technologies in cyber security are advancing so quickly that it is easy to get caught out using outdated assessments of cyber risks. So you may need to review cyber security risks more regularly than other risks.

Second, because cyber security is still a relatively new field, the organization won’t have as intuitive an understanding of cyber security risks, as it might for say, financial risk. As new technologies emerge, there might not be a huge evidence base to draw on to form a risk assessment. This is worth bearing in mind when considering the confidence you have in an assessment of cyber security risk, especially if that assessment is going to be directly compared to assessments of more well-established risks.

Maintaining old habits and failure to adapt are fundamental ingredients to cyber security events.  Many organizations fear adapting because they fear change, and they fail to realize that adaption does not always require change. Reassessing risks and evaluating business practices is the bare minimum an organization can do to understand the landscape today.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes ‘good’ cyber security in terms of managing cyber security risk.

The primary focus of your process should be that decision makers can make the most well informed decisions. The decision makers might be the Board (who have to set a risk appetite based on an understanding of a technical or operational risk) or it might be the practitioners who need to decide how to implement a specific course of action fed down from the Board. Both need to be as well informed as possible (in an understandable format) to allow those decisions to be made well. This means the output of risk assessments needs to meaningfully articulated. Qualified outputs are usually the most effective and are preferable to meaningless results where sometimes arbitrary numbers are added or multiplied to derive a score.

Any decision maker in your organization should have an awareness of the importance of cyber security risk and enough expertise (or access to expertise) to consider cyber security risk in the decisions they make. To begin with you might want to:

• consciously build in consideration of cyber security risk to any decision making processes you have

• focus on educating people on cyber security

A way to check if this is working is to look at a decision taken in your organization and review whether cyber security risk has been balanced with other business risks. For example, an organization may assess that introducing a Bring Your Own Device (BYOD) policy brings substantial benefit to the organization in terms of flexible working. There are many different things you would expect to be considered in this decision, including:

• the potential improvement in staff productivity

• the potential security implications of having devices the organization does not control connecting to the organization networks

• the cost implications

• the liability implications

Were these considered jointly when making the decision, or was security only discussed once the decision was already made?

Both the Board and the practitioners should be able to clearly and simply articulate the process in a few minutes. The details of this framework might include:

• how risks are escalated

• what the threshold is for Board involvement in a risk decision

• how we convey the confidence in a particular risk assessment

• how often risks are reviewed

• who owns which risks

• who is responsible for the framework itself and for ensuring it is fit for purpose (for example, ensuring that the output of the risk assessment process genuinely reflects the assessment of the risk)

Support decision makers if they make risk decisions within the parameters you set.

Be clear on the process and the threshold for escalating the risk.

Be as specific as you can in terms of the types of risk and the amount of risk. For example, you might be unwilling to tolerate any significant risk to personal data but would be willing to accept email being unavailable for a day.

• Consider the cumulative risk you are accepting; it’s possible that all your cyber risk could be realized at the same time. In a single incident, you might lose email for a day, the public website might be unavailable and financial data you hold might be stolen. While you may have accepted some risk of all those things happening you may not have considered whether the organization could tolerate them all happening at once.