This has never been truer than now when--as everyone knows--every company will eventually be infiltrated by cyber criminals. Attackers using automated programs to continually run port scans on hosts across the Internet looking for vulnerabilities will eventually find holes in your systems and exploit them. Enterprises must likewise automate security as a part of risk management or simplify it enough that security staff can demote some tasks to operations staff. This is operationalizing security and can include using log management and SIEM tools that put security tasks within reach of operations professionals.
From the 3,000-foot view, you need to adopt a combination of enough risk mitigation techniques and technologies to answer those risks that will cost your enterprise more than the mitigation does. DLP is a great example of a technical solution that is less expensive than a massive breach that leaks millions of examples of private, personally identifiable, financial account information.
Boards of director must decide when the cost of the risk is greater than the cost of risk management and deploy cyber security down through the C-suite accordingly. They must include lost revenues and the potential for profit margin growth in their calculations.
Second, risk lives and changes like a growing organism undergoing constant metamorphosis. "In particular, risk changes in response to your actions," says Sweeney. Every time you take action, risk responds in a manner comparable to the equal and opposite reaction of Newton's Third Law of Physics. So the dynamic nature of risk makes sense intuitively.
Risk mitigation must be equally fluid, nimble, and dynamic in order to respond to information risk events quickly and efficiently. For example, risk mitigation must be flexible enough to close the vulnerability first, whatever kind of hole it may be, so that no more damage is done.
Third, like time, risk does not wait. Losses due to realized cyber risk events increase as the event continues, and many cyber criminals intend their attacks to go on indefinitely or until someone stops them. Enterprises that want to increase profit margins need to move fast to adopt a reliable, targeted risk management plan as soon as possible.
Finally, know that someone in the business is causing the risk by design. They are accountable for the risk as the risk owner. Find out who they are. Then find out what they are doing to mitigate the risk. "You have to look at the controls and constantly test them," says Brian Schwartz, Governance, Risk, and Compliance Leader, PwC. If the controls are not sufficient, look into stronger controls.
Profitable risk management leaders
"The leaders who formally address risk management and actually embed it into the rhythm of the business are the ones who show better profit margin growth," says Schwartz. These leaders share certain specific risk manager activities and traits in common.
Sign up for CIO Asia eNewsletters.