When is an IT risk a cyber risk? And why the difference matters [Q&A]
There tends to be some confusion about where cyber risk ends and where IT risk starts and the terms are often used interchangeably.
We spoke to Gary Lynam, head of ERM advisory at risk management specialist Protecht, to find out more about understanding and managing the different types of risk that enterprises face.
BN: Why is it important to distinguish between IT risks and cyber risks?
GL: When discussing the issues around IT and cyber risks, it can be easy to think we are all talking about the same thing when in reality, we’re not. For instance, the use of broad terms like 'IT risk' without defining what it means to each organization can result in the illusion of communication.
In a formal sense, the definition of IT risk in COBIT (Control Objectives for Information and related Technologies) is: The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
In more practical terms, IT risk encompasses all types of risks related to information technology and how it can contribute to the failure to meet both strategic and operational objectives. While technology is an enabler, it is the failure of the operation of IT resources -- or the failure to invest in IT adequately -- which can undermine whether an organization can achieve its objectives.
Similarly, the phrase 'cyber risk' can mean many things to many people, which is why I recommend it is defined specifically for each organization. But, in general terms, think of information technology as the 'stuff' that enables us to store and transmit information; cyber relates to the information itself.
BN: Do you need different solutions to manage the different types of risk?
GL: Yes, but a better starting point is to understand who within the organization is responsible for managing the different types of risk. In general terms, the Chief Technology Officer (CTO) is focused on technology strategy and architecture as it relates to external customers. Their role is also to investigate and develop and adopt technologies that make the business more competitive or disruptive. The potential risks they own include strategic IT, obsolescence, digital transformation, execution and technology selection risks.
The Chief Information Officer (CIO) is responsible for issues such as the efficiency of internal IT, improving internal processes, staff productivity and governance. The areas of risk they are typically most concerned with include technology systems availability, supply chain/suppliers, data availability and data integrity (these final two sometimes sit under the CISO).
The Chief Information Security Officer (CISO) is responsible for the security of confidential and personally identifiable information (PII). The associated risks they guard against include data confidentiality, cyber intrusion, ransomware and insider threats.
While it's easy to split hairs about the precise boundaries of these roles, in practice, they work together to deliver the appropriate solutions to manage the different types of risk.
BN: What is the impact of cyber risk on the wider organization?
GL: The ubiquitous nature of cyber risk means organizations should be prepared to face the impact of an incident at any time. With this as a guiding principle, don't plan under the assumption something might happen; plan assuming that it already has. What next? What do existing crisis management and business continuity plans look like? How do organizations ensure critical service maintenance?
And don't forget that risks travel in clusters, so when a cyber threat emerges, whether it is due to perimeter penetration, unauthorized data access or malware, it is already associated with risk-related outcomes. It can provoke GDPR issues, which can lead to regulatory risks and result in remediation activities, financial loss and reputational damage. It is these consequential risks that businesses often spend too little time thinking about. The question is: how do organizations ensure they are well-placed to mitigate such risks?
BN: How important is the human angle in understanding and managing risks?
GL: While automation may be on the rise, people are still at the heart of every organization, including how its technology is managed and maintained. This can include making long and short-term investment decisions, maintaining critical technology infrastructure, monitoring the performance of systems, performance of IT-related controls, managing incidents, investigating and proposing new technologies and managing relationships with IT-related vendors and third parties.
The decisions and actions people take can result in smooth operations and working towards goals -- or result in incidents or conditions that negatively impact objectives. Errors, oversights, and communication breakdowns are all potential human causes of IT-related disruption or poor outcomes.
That's not to point the finger at IT people when things go wrong; it's to acknowledge that people make mistakes. Leaders need to empower and nurture people, particularly in times of adversity. For any organization that wants both resilient information infrastructure and a resilient IT workforce, the psychological safety of its people needs to be embedded into everyday culture.
BN: How can you measure the effectiveness of risk management?
GL: While some risks may require some special considerations to manage, ultimately, executives need to consider and compare risks across the entire organization. Deeper understanding of the risk profile will enable more targeted investment in the control environment. This can be achieved by identifying the leading metrics risk and control indicators that they want to measure and report on, the frequency they want to capture and report them to management or the Board, and defining tolerances for those metrics.
Organizations should also integrate IT-specific incident or issues management processes into a holistic Enterprise Risk Management (ERM) incident management process to ensure aggregate reporting. They should also use reporting dashboards to track IT and cyber risks that can be compared effectively against other risks to the organization. Having risk data that is integrated allows for effective comparison not just of IT risks but risks across the organization.
Photo Credit: Pixelbliss/Shutterstock