I’ve spent a little time at the CYBERRisk Europe conference this week, both as an attendee and as part of a panel discussion.
One of the most interesting things about this conference is it has been formed as part of the OpRisk Europe conference. This is a conference focussing on Operational Risk. I think it is great that people are trying to bring these things together as while “Cyber”, however you choose to define it, is a category of risks, these all come back to business / operational risk and impact.
Cyber / information security / <insert latest buzz word name here> risk must be considered as a part of the overall business risk, while the people assessing the risk may be from different teams this still needs to feed into one central, organisation wide process. Doing this ensure all risks are considered together, clear business owners of any risk can be identified, and those owners along with the wider board have a clear view of their cumulative risk.
I don’t think that many companies are necessarily there yet, but brining your risk processes and recording / reporting under single organisation wide umbrella would definitely be beneficial.
Other highlights from the conference included some great discussions around;
- The importance of working with your business and the board to understand and define the risk appetite
- A great way to help with this is to use various scenarios around what is and isn’t acceptable
- Ensuring Security is seen as a business, not IT issue, despite Cyber being very IT centric
- Using Cyber exercise and playbooks
- The fact that Cyber / Security is a ‘wicked problem’ – look this up!
- How related Cyber and wider risk is, but that Cyber is likely a faster moving space than organisational / operational risk are used to
- Where the CISO / security organisation should sit in the organisation. There was not consensus, other than not within IT, especially for regulated industries. Thoughts included within the CRO or COO office, or even the CEO office
- The need to think outside the box to find better ways to solve difficult security problems was frequently discussed – think of the Gordian knot. Are we solving security problems in the right way?
- Ensuring that the relevant people in the business understand and care about cyber risk is key to getting buy in for the correct mitigation / remediation / acceptance decisions
- Being realistic about aspiration vs. realism vs. appetite, for cyber risk – but likely applies to many areas!
- The fact that contain and respond need to be seen as at least as important as prevent and detect
- The importance of people, culture and awareness as well as tools and processes must not be overlooked
- How challenging it can be to justify cyber / security spend, even for seemingly obvious things as we are often ‘proving the negative’ – more on this in a following post.
This was a relatively small conference, but well focussed, with some good content and discussion, I’d definitely recommend it.
If you have any questions about the above topics, feel free to ask and I will happily expand on them.