Abstract:
This article is written by a Chief Risk Officer on his experience with cyber risk management. He discusses his actions and considerations when dealing with cyber risk management at his company. The most valuable thing for him was conducting red team testing, where an external group was given the objective to gain as much compromised access as possible to the company’s system. Very few people in the company knew about this testing, which provided accurate assessment on the company’s defences and incident response process. This testing was very successful in determining how vulnerable the company was, and the CFO learned a lot from this. This article provides a lot of practical and applicable advice and practices for companies to manage their cyber risk. It addresses many misconceptions about cyber risk and risk management. Every part of a system should be monitored for good security hygiene, as something seemingly unimportant can provide a vulnerability into the entire system since everything is interconnected. All systems can be compromised and encryption does not guarantee that data is safe. The Chief Risk Officer plays an important role in cyber risk, and the task of cyber risk management should not be left entirely to the CIO or IT department. The CRO should make sure risk is everyone’s responsibility and unsure that all the moving parts work together.
Key Words:
Cyber risk, risk management, red teaming, governance, board, encryption, incident response, information technology, vulnerabilities, Chief Risk Officer, blue team, Chief Information Officer, security hygiene, Chief Information Security Officer, cyber threats
Industry Focus:
Information & Telecommunication
Internet & Cyberspace
Legal & Financial