The Changing Nature of Risk Management … and the need to quantify your risk management approach
Guest blog: Randy Spusta, Global Competency Leader - Security Strategy Risk & Compliance, IBM Security as part of our #Cyber2021 week.
Companies today face all sorts of risks. Supply chain and third-party risk are now becoming a top of the house risk discussion topic due to Covid, Solar Wind, FireEye, and the Suez Canal incident. And this risk is only increasing as organizations strive to operate more globally, leveraging third parties, building dependencies and operating in an eco-system of mutual interdependency. This all results in business relationships becoming more complex – and complexity introduces more vulnerabilities, more threats and increased risks. Managing the risks associated with these relationships while not hindering business speed is a critical challenge for today’s leaders.
This challenge is only compounded as digitalization, globalization and significant improvements to supply chain management -technical capabilities such as multi-cloud platforms, blockchain, RFID tracking-. In this interdependent world, this larger set of supply chain, third party interactions result in the increased exchange of business sensitive data, including client and employee PII, introducing increased risk to the organization.
The challenge is to balance the business advantages and opportunities of a larger and more complex eco-system interactions with secure digital transactions, secure access and protected data.
To be truly optimized and to address these issues, companies are moving to a more quantitative approach to identify and reduce risks. To better understand their risk exposure and expected loss in supply chain risk, companies are striving to understand their threats. By understanding threats and threat actors, organizations can better understand threat actors’ capabilities, asset targets and potential impacts, the basic elements of risk management.
Additionally, we want to identify probable risks against the total population of possible risks. This is clearly both cost prohibitive and not particularly effective. To adjust to this ever-increasing complex operating environment, organizations today are turning to a quantifiable methodology to identify, manage and reduce risks. They are adopting the FAIR (Factor Analysis of Information Risk) model. Risk quantification using FAIR, allows us to decompose risk into the probability of a threat and the costs of that threat realised to an asset. By looking at risk in terms of Threats, Assets and Effect, all of which are measurable, we can quantify the impact of the risk(s).
And by quantifying the risk, we can now make fact-based decisions, based on cost / benefit analysis on which of our third-party relationships present the highest risks to our organization. By combining risk quantification with a mature and effective third-party risk management program, we can focus our resources on the highest of high-risk transactions and relationships.
We direct our investments to provide the best return (reduction of risks).
By adopting a quantitative risk-based approach, organizations are better equipped to focus their investments, address critical skill gaps, determine whether their control frameworks are effective and provide for business justification for their security spend. This results in actual risk reduction and it focuses investments on the top priorities.
Executives, boards, shareholders and regulators are demanding better risk management. And better risk management requires better data and a measurable framework. FAIR is based on the premise that effective risk management starts with these assumptions.
CISOs and CIOs can now provide their Board members and executive risk committee members with data-based answers to the following concerns:
Yes, we know our top risks and have quantified them. We have identified the degree of uncertainty with respect to a threat materializing.
We know the material impact if the risk event occurs
We know the expected loss, given the current residual risk
We have an understanding of the likelihood of an event occurring
We can provide a data-based business justification for managing those risks.
Our point of view is improved risk management requires better data on vulnerabilities, threats and risks across the enterprise and across the end-to-end supply chain. IBM Security has developed an integrated, risk-based, programmatic framework for managing third-party relationships and risks based on risk quantification.
Our goal is to embed security at each ecosystem layer, to protect the movement of goods and data in applications and on the cloud. The more organizations can address security risks and challenges in a quantitative manner, the more likely they will be effective in reducing risks. Afterall, the goal of risk management is to make better decisions under conditions of uncertainty that actually reduce risk.
Dan Patefield
Head of Cyber and National Security, techUK
Dan Patefield
Head of Cyber and National Security, techUK
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.
Programme Manager, Cyber Security and Central Government, techUK
Jill Broom
Programme Manager, Cyber Security and Central Government, techUK
Jill is techUK’s Programme Manager for Cyber Security and Central Government, supporting the work of both programme teams and promoting better engagement between the public and tech sectors.
Prior to joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Freddie MacSwiney is the Programme Manager for Defence and Cyber Security at techUK.
Prior to joining techUK, Freddie worked as a Government Adviser for a firm dealing in International Relations, where he briefed Politicians, Ministers, Heads of State, Diplomats around the world on key issues from Defence, Security and other key issues and aligned them with the UK.
Raya Tsolova
Programme Manager, National Security, techUK
Raya Tsolova
Programme Manager, National Security, techUK
Raya Tsolova is the Programme Manager for National Security at techUK.
Raya is responsible for all National Security related activities across techUK, specifically in the established programmes of Defence, Cyber Security and Justice & Emergency Services. Raya will leverage relationships with existing stakeholders across the three programmes, and will build new relationships between techUK and key stakeholders who are of interest to member companies.
Prior to joining techUK, Raya worked in Business Development for an expert network firm within the institutional investment space. Before this Raya spent a year in industry working for a tech start-up in London as part of their Growth team which included the formation and development of a 'Let's Talk Tech' podcast and involvement in London Tech Week.
Raya has a degree in Politics and International Relations (Bsc Hons) from the University of Bath where she focused primarily on national security and counter-terrorism policies, centreing research on female-led terrorism and specific approaches to justice there.
Outside of work, Raya's interests include baking, spin classes and true-crime Netflix shows!
Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
techUK members – we are calling on you to nominate a colleague who has made a significant contribution or positive difference to People, Society, the Economy, or the Planet through their work with technology.
Can you think of someone you'd like to nominate for our inaugural President's Awards? Nominations close on 26 April.