Data-driven cyber risk management - Making the case for cybersecurity investment in the midst of pandemicWhile everyone understands that cybersecurity is a key threat, very few can articulate that their investment and actions are making an impact to reducing the cyber risk to their organisations.
With the recent virus outbreak, it is more important promote the value and effectiveness of your cybersecurity programme to stakeholders in simple business and economic terms.
Evaluation and prioritisation on a sound methodology
Project selection alignment with corporate strategy in a quantita-tive way
Meaningful comparison of risk reduction benefits of projects, aligned with strategy
Minimise gaming and politics in project selection
Cyber risk reporting provided today is generally not fit for purposes for C-Suites / Boards
A. Identify business risks
Key elements for data-driven cyber risk
What questions can data-driven cyber risk management answer?
Augment your existing metrics with business intelligence
Data driven cyber risk management yields many benefit
How do I measure and demonstrate the effectiveness of our cyber security investments in relation to our key cyber risks?
CISO
What is our cyber risk exposure in economic terms? Do I need insurance?
CIO / COO
Am I able to respond to regulatory and other external stakeholder
requirements?
CRO / Compliance
What questions data-driven rish answer?
01
02
05
06 04
03
Exprosures
Communicationof cyber risk
Transferof risk
Impact oflosses
Types of loss
Mitigation / security investments
Exposure
What are my high-prioritysecurity business exposures?
Communication of cyber risk
How do I best communicate cyber risk to the Board / Exec in a language they understand?
Mitigation / security investments
Which capabilities should I prioritiseand implement?
Transfer of risk
What risks can I offload?Will insurance play a role?
Impact of losses
What is driving my potentiallosses and in what areas ofthe business?
Types of loss
What types of business loss couldimpact us? Eg. financial, contractual, reputational
Business impact modelling
Cyber threat landscape
Cybercapabilities
Co
mp
lete
ness
Robustness
Identify key business functions, IT/Information assets and key business operational risks
B. Profile cyber threats
Achieve qualitative reporting of business impacts to threats
C. Evaluate cyber risk
Achieve quantification of scenario financial loss, and changes to impact and likelihood.
D. Scale & Automate
Scale and automate the Cyber Risk Dashboard and risk measurement integrating with existing risk and security processes.
Reporting Defensibility Transparency
Holistic view of the risk landscape and priorities
Technical risks in Business terms
Quantify risk exposure at a holistic level
Stress-test changes in the risk landscape
Reshuffle priorities based on corporate strategy
Respond to unexpected resource constraints (e.g., budget, talent, etc.)
Maximise risk reduction benefits with available resources
Effective allocation of non-finan-cial resources
Risk reduction with focus on overall risk landscape
Automation Adaptability Effectiveness
Focus on high level insights generation, while tool automates numbers
Transform information into insights, priorities, actions, and effective decisions
© 2020 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
https://pwc.qualtrics.com/jfe/form/SV_7PYbx4HY0idVmnP
Click link below and get in touch with us: