Risk Management and Cybersecurity

A recent McKinsey series identifies actions that together comprise a best practice for developing a risk-based cybersecurity approach:

First, fully embed cybersecurity in the enterprise-risk-management framework. This requires developing a broad institutional understanding of the vulnerabilities that exist among people and are intrinsic to processes.

Next, understand who the relevant threat actors are, what capabilities they possess, and their intent. Develop controls and change programs to address your vulnerabilities.

Then, map risks against the risk management framework, accounting for the threat actors, their capabilities, and the vulnerabilities they are trying to exploit.

Finally, monitor risks and cybersecurity efforts against key cyber risk and performance indicators, then report on how cyber efforts have reduced enterprise risk.

As the series authors state, eliminating risk is always the preferable solution, while other methods, such as minimizing potential loss via insurance, are ways of accepting risk.

Risk managers equipped to meet the challenges of the future will need new capabilities in model risk management, data, analytics, and technology. That means having the skill to predict new threats, perceive changes in existing threats, and develop comprehensive response plans. With respect to cybersecurity, only a robust risk-management plan can protect an organization from interruptions to critical business processes.