Cyber incident risk is one of the most consequential areas of risk management organizations face today. The risk isn't new, to be sure; large-scale, high-profile cybercrime goes back at least to 1995, when a hack of Citibank computer systems resulted in the theft of more than $10 million. What's different now is the dramatic growth we're seeing in the number, sophistication and severity of attacks. Cybersecurity incidents doubled between 2016 and 2017, from about 82,000 to a record 160,000. And attacks are becoming more targeted and strategic; one example is the recent emergence of malware specifically designed to attack industrial control safety systems. Finally, the costs associated with damages from cyber incidents are skyrocketing—including an increase of more than 15 times in ransomware costs alone from 2015 to 2017.
In this environment, cyber risk has become as much a major business risk as an IT problem. Business and IT leaders are well aware of it: in a recent survey commissioned by RSA, 80% of those responding said they consider security breaches to be a business risk, not just a security risk. Several factors contributed to this shift. For one thing, as more organizations pursue digital transformation, the size of the attack surface grows and the impact of attacks spreads. In addition, cybercriminals are taking bolder actions, even brazenly trading and selling stolen data and other assets openly on social media. Meanwhile, regulatory requirements in response to growing threats, including threats to data privacy, increase the pressure on organizations to do more to protect against and respond to cyber incidents. Failure to comply can result in costly business consequences in the form of severe financial penalties.
Complicating the management of cyber incident risk today is the reality that IT and business interests both have a stake in reducing risk—but both also find themselves challenged to work together successfully. In the RSA-commissioned survey mentioned above, 69% of respondents described the relationship between IT security and business risk teams as difficult to coordinate. Roughly half cited different tools and technologies for IT and business as the top source of that difficulty, suggesting the need for a risk management approach explicitly aimed at integrating the efforts of IT and business risk teams.
RSA believes a solution lies in having a clearly defined risk framework in which an organization's cyber incident detection and response technologies support its business-driven goals for managing cyber incident risk. Such a framework requires expertise in both technical and business strategy to enable organizations to quantify and address risk. The goal is to reduce the likelihood that the threat of a cyber incident will derail their accelerated pursuit of business opportunities.
Doug Howard, RSA Vice President, Global Services, recently talked in more detail about the idea of a framework, describing it as a way of bringing together strategic thinking about risk with the tactical power of technology to carry out risk management strategies. This is the embodiment of integrated risk management, which RSA sees as fundamental to managing digital risk in all its complexity today.
# # #
For a deeper dive into the idea of a framework for managing cyber incident risk, take a look at the paper RSA Risk Framework for Cyber Incident Risk: Unifying IT Security and Business Risk Management.