Cyber risk and resilience: A guide for the board and senior management

Each and every organisation is affected by cyber risk:

  • Organisations that believe they can ignore ‘cyber’ and the benefits it has to offer will probably cease to exist, as others adopt faster, more economical, less human-resource-intensive solutions to provide the same or better solutions.
  • Organisations that embrace the opportunities and benefits that ‘cyber’ offers will expose themselves to its inherent threats and vulnerabilities.
  • Organisations that tread the path between these scenarios are balancing, or blending, the consequences of ‘cyber’, and therefore the associated risks.

The mature approach to addressing these risks is through an effective risk management solution.

Or to put it in BS 31111’s terms (tracking the changes): The mature approach to addressing these cyber risks is through an effective cyber risk management solution.

Effective cyber risk management enables the benefits of connectivity to be harnessed, while managing the potential negatives to an ‘appropriate degree’ – which is dependent on each organisation’s specific circumstances and its leaders.

Achieving this is massively dependent on the organisation having a means of proactively identifying existing and emerging risks.

What makes cyber risk different?

To make the most of the potential benefits, and keep on top of potential negatives, it is essential to ensure that your organisation is and remains fully aware of, and is briefed on, the nature and spread of cyber-related risks.

Typically, the board/governing body of an organisation will not have the knowledge and experience required to achieve this.  Therefore, it will need to appoint an advisor, whether in the form of an employee or a contracted service.

The board, reflecting on the specialist, professional advice it receives, needs to provide sufficient competent resources to manage cyber risk in every area affecting technology-dependent activities.

What needs to be considered in a cyber risk management regime?

The following areas need to be considered and addressed in a cyber risk management regime:

  • Organisation: Effective leadership is essential, with timely decision-making, considering cyber consequences, being entrusted across the organisation. Understanding the value your organisation creates and how cyber relates to that is fundamental in establishing an effective solution.
  • Planning: Enterprise risk management arrangements need to encompass cyber risk. The risk management arrangements across the organisation need to inform timely change and ‘as is’ activities in light of information gathered, and considered from internal and external sources, including cyber experts and (cyber security) information sharing partnerships.
  • Monitoring, measurement, analysis and evaluation: A cyclical approach to assessing the effectiveness of your organisation’s cyber risk stance, and reacting to that through communication, monitoring metrics, awareness, training, improvement and further review, will assist in developing resilience.
  • Human factors/culture: The human factors relevant to cyber risk are present at both an individual level and in the culture of the organisation. The appreciation and competence to effectively manage cyber issues needs to be part of the decision-making arrangements across all levels of the organisation. Achieving a coherent, organisation-wide cyber risk-aware culture significantly contributes to the motivations and enablers for achieving the desired outcomes, particularly as people are often the weakest link.

Standards to help manage cyber risk and resilience

The good news is that there are a myriad of cyber security and related frameworks, standards and sources of guidance which, in addition to initially calling into question the need for BS 31111, organisations should consider.

Of direct relevance to the scope and objective of BS 31111 is the British standard for information security risk management, BS 7799-3:2017 – Information security management systems – Guidelines for information security risk management (a revision of ISO/IEC 27005:2011).

Additionally, conformity attestation schemes such as accredited certification to the standards ISO 27001, ISO 22301 and so on provide a means by which an organisation can demonstrate that its operations, commitment and management arrangements reflect internationally recognised good practice in cyber risk- and resilience-related disciplines.

Of course, if an ISO standard seems too daunting, Cyber Essentials certification can provide an entry-level, low-cost starting point.