Data-driven cyber risk management - Making the case for cybersecurity investment in the midst of pandemicWhile everyone understands that cybersecurity is a key threat, very few can articulate that their investment and actions are making an impact to reducing the cyber risk to their organisations.

With the recent virus outbreak, it is more important promote the value and effectiveness of your cybersecurity programme to stakeholders in simple business and economic terms.

Evaluation and prioritisation on a sound methodology

Project selection alignment with corporate strategy in a quantita-tive way

Meaningful comparison of risk reduction benefits of projects, aligned with strategy

Minimise gaming and politics in project selection

Cyber risk reporting provided today is generally not fit for purposes for C-Suites / Boards

A. Identify business risks

Key elements for data-driven cyber risk

What questions can data-driven cyber risk management answer?

Augment your existing metrics with business intelligence

Data driven cyber risk management yields many benefit

How do I measure and demonstrate the effectiveness of our cyber security investments in relation to our key cyber risks?

CISO

What is our cyber risk exposure in economic terms? Do I need insurance?

CIO / COO

Am I able to respond to regulatory and other external stakeholder

requirements?

CRO / Compliance

What questions data-driven rish answer?

01

02

05

06 04

03

Exprosures

Communicationof cyber risk

Transferof risk

Impact oflosses

Types of loss

Mitigation / security investments

Exposure

What are my high-prioritysecurity business exposures?

Communication of cyber risk

How do I best communicate cyber risk to the Board / Exec in a language they understand?

Mitigation / security investments

Which capabilities should I prioritiseand implement?

Transfer of risk

What risks can I offload?Will insurance play a role?

Impact of losses

What is driving my potentiallosses and in what areas ofthe business?

Types of loss

What types of business loss couldimpact us? Eg. financial, contractual, reputational

Business impact modelling

Cyber threat landscape

Cybercapabilities

Co

mp

lete

ness

Robustness

Identify key business functions, IT/Information assets and key business operational risks

B. Profile cyber threats

Achieve qualitative reporting of business impacts to threats

C. Evaluate cyber risk

Achieve quantification of scenario financial loss, and changes to impact and likelihood.

D. Scale & Automate

Scale and automate the Cyber Risk Dashboard and risk measurement integrating with existing risk and security processes.

Reporting Defensibility Transparency

Holistic view of the risk landscape and priorities

Technical risks in Business terms

Quantify risk exposure at a holistic level

Stress-test changes in the risk landscape

Reshuffle priorities based on corporate strategy

Respond to unexpected resource constraints (e.g., budget, talent, etc.)

Maximise risk reduction benefits with available resources

Effective allocation of non-finan-cial resources

Risk reduction with focus on overall risk landscape

Automation Adaptability Effectiveness

Focus on high level insights generation, while tool automates numbers

Transform information into insights, priorities, actions, and effective decisions

© 2020 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

https://pwc.qualtrics.com/jfe/form/SV_7PYbx4HY0idVmnP

Click link below and get in touch with us: