Why it's important to create a common language of cyber risk

3 years ago 370

All departments of an enactment request to beryllium connected the aforesaid leafage wherever cybersecurity is concerned, and that volition lone hap if the terminology utilized is understood by all.

cyber-risk.jpg

Image: iStockphoto/anyaberkut

Things enactment amended erstwhile everyone is connected the aforesaid page, and that includes the quality to sermon a taxable utilizing connection that imparts the aforesaid meaning to all. 

SEE: Security incidental effect policy (TechRepublic Premium)

There's a enactment game—Whisper Down the Lane, known successful immoderate places arsenic Telephone oregon Gossip—that illustrates what happens erstwhile words and their meanings are misinterpreted. People are successful a circle, and idiosyncratic whispers a concealed to the idiosyncratic adjacent to them. That idiosyncratic passes the concealed connected to the idiosyncratic adjacent to them and truthful connected until it gets backmost to the archetypal individual, and—more often than not—the concealed is precise different. 

In enactment games, it's funny, but successful the satellite of cybersecurity, not interpreting a remark oregon papers arsenic intended by the originator tin spell disaster. The 2020 Global Risk Study by PwC said that astir 50% of respondents judge their risk, interior audit, compliance and cybersecurity departments are hampered by not formulating a communal presumption of threats and the associated risk.

But what tin beryllium done to alteration this? Joseph Schorr, vice president of strategical alliances astatine LogicGate, offered thoughts via email. Schorr started by looking astatine the GRC and IRM space—programs often utilizing method language/vernacular, acronyms and jargon. 

"When we enactment with concern partners and stakeholders, it's important to marque definite we find a communal language, truthful everyone understands the hazard we're communicating," Schorr said. "For example, saying it's apt determination volition beryllium a information breach mightiness mean 70% apt to some, 80% to different and yet 50% apt to idiosyncratic else."

Technology and processes are captious components erstwhile it comes to the connection of risk. A risk matrix is often utilized during hazard assessments to specify the level of hazard by considering probability and effect severity. Schorr said hazard matrices are a invaluable instrumentality utilized to assistance pass betwixt departments and companies. They would beryllium adjacent much adjuvant if the connection utilized is understandable by each parties.

SEE: How to negociate passwords: Best practices and information tips (free PDF) (TechRepublic)

"When you person a matrix accepted and utilized crossed the full business, your enactment present has a communal constituent of notation for assets allocation and decision-making," Schorr said. "Everyone utilizing the aforesaid connection shows concern crossed the committee and a company-wide knowing of the organization's hazard and however that hazard tin beryllium utilized to make a strategical advantage." 

Creating a cosmopolitan connection of risk 

At archetypal glimpse, creating a cosmopolitan connection of hazard seems impossible, and it apt is. That said, making the effort and moving person to wherever everyone shares a communal knowing is simply a large betterment and increases awareness. Schorr offers the pursuing practices to assistance execute it. 

Agree connected a taxonomy: In this situation, taxonomy is the recognition oregon naming operation utilized to intelligibly recognize hazard assessment, monitoring, remediation and creating a communal vocabulary.

The payment of having a taxonomy oregon akin operation successful spot erstwhile collaborating with different departments creates a functional notation that allows thoughtful grouping and aggregated reporting. "Taxonomy shared organization-wide increases the effectiveness of reporting and decision-making," Schorr said. "And standardized taxonomy facilitates comparisons crossed humanities data, clip periods, concern units and regions."

Establish an understandable standing system: The risk-rating strategy needs to spell beyond simply low, mean and high, and see notation points that are understandable by each acrophobic parties.

Employ a accordant company-wide risk-response framework: This benignant of model volition usher the process of hazard management. Schorr suggests including metrics that place which risks are acceptable and highlighting actions that are required. Also, it is important to usage the model company-wide; doing truthful enables faster determination making and cultivates a risk-management culture.

Make the model accessible: Anyone needing risk-management accusation should person casual entree to it. "Risk-management systems/processes with the aforesaid taxonomy (risk language) guarantee appropriate, systematic usage of information collected company-wide," Schorr said. "Technology incorporating and standardizing information crossed regions/business units drives businesslike assets allocation, enabling better-informed decisions."

Get buy-in from radical astatine antithetic levels of an organization: This is apt the astir important signifier of the bunch, particularly getting buy-in from precocious management. "After determination were yet capable high-level breaches, Facebook hacks and attacks connected POS systems, information and hazard yet became a board-level concern," Schorr said. 

SEE: Ransomware attack: Why a tiny concern paid the $150,000 ransom (TechRepublic) 

He besides suggested uncovering a champion—someone interior to the company, perchance a information designer oregon hazard and compliance specialist—who volition elevate the treatment and speech much astir the concern constraints and goals. 

Benefits of a communal connection of risk

Schorr said helium is simply a steadfast believer that incorporating modular definitions and translation tools into a risk-management level (GRC oregon IRM) is successful an organization's champion interest. 

Standard definitions and translation tools:

  • Allow the aggregation of idiosyncratic risks into themes
  • Provide consolidated hazard scores from crossed the organization, which means further information input into the organization's processes
  • Create a shared information repository that tin beryllium leveraged to way trends, foretell caller opportunities and place areas of focus 

Using terminology that everyone understands is not caller and is not rocket science. What is caller is employing this conception to negociate hazard with respect to cybersecurity—a analyzable and fast-changing field. It whitethorn not beryllium cleanable but moving the barroom to wherever each are connected the aforesaid leafage seems similar a bully spot to start.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article