A Deep Dive Into Cybersecurity Risk Management

Cybersecurity risk management refers to the process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. It involves a systematic approach to managing the risks associated with IT systems and information assets, aiming to protect them from cyber threats and vulnerabilities while aligning with your business objectives.

The expectation of cybersecurity risk management shouldn’t be to prevent every threat from ever becoming an issue. It’s impossible to anticipate and thwart every cyber threat. However, investing time and resources in an appropriate cyber risk strategy can significantly mitigate the impact of many threats and expedite recovery efforts, increasing your organization’s resiliency. The benefits of committing to your cybersecurity risk management include the following.

• Regulatory Compliance: Many industries are subject to stringent data protection and privacy requirements. A committed cybersecurity risk management approach ensures compliance with these regulations, avoiding penalties and legal issues.
• Access to New Markets: Demonstrating compliance with cybersecurity standards can facilitate expansion into new markets, especially in regions or industries with strict data protection laws.
• Increased Trust Among Stakeholders: Risk management efforts help build trust with important stakeholders, including customers, employees, and potential investors. Proactively addressing and managing cyber risks reflects your organization’s commitment to accountability and responsibility.
• Improved Awareness Culture. Robust risk management efforts positively contribute to a heightened awareness and organization-wide culture of cybersecurity risk management.

If knowing where to start is a challenge for your organization, look first at whether your industry has any specific requirements and frameworks. Several readily available frameworks and resources include best practices, requirements, and suggestions for managing cyber risk. 

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) and Special Publications are two of the most popular and prevalent resources. Additional, non-NIST frameworks have been developed by government agencies and other standards bodies, including:

• ISO/IEC 27001
  Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission, the ISO/IEC 27001 framework was last updated in 2022 with a 2024 amendment related to climate change. The standard provides organizations of all sizes and sectors guidance for establishing, maintaining, and continually improving an information security management system. ISO/IEC 27001 promotes a holistic approach, thoroughly vetting people, policies, and technology to achieve effective risk management, cyber resilience, and operational excellence.
• CIS Critical Security Controls
  Now in its eighth version, the Center for Internet Security (CIS) Critical Security Controls include a prescriptive, prioritized, and simplified set of 18 overarching actionable best practices prioritizing activities over roles or details of device ownership. Through its Critical Security Controls, Implementation Groups, and accompanying tools and resources, the CIS claims organizations can simplify their approach to threat protection, achieve essential cyber hygiene, and translate information into action while abiding by all state and federal laws and industry regulations.
• PCI DSS
  The Payment Card Industry (PCI) Data Security Standards (DSS), developed by the PCI Security Standards Council (SSC), provide risk management guidelines and requirements that apply to all organizations that store, process, or transmit credit or debit card payment information. Originally developed by a coalition of major credit card companies and now on its fourth version, the PCI DSS is a global framework and security standard that helps provide a baseline of technical and operational requirements designated to protect payment data from cyber risks.

Consumers may most closely associate artificial intelligence (AI) with ChatGPT, but the technology’s potential goes significantly beyond the popular chatbot. 

AI is expected to heighten the ransomware threat worldwide and will almost certainly increase the global volume of cyberattacks, according to “The Near-Term Impacts of AI on the Cyber Threat,” from the National Cyber Security Centre (NCSC), a division of the United Kingdom government. 

The report reveals all types of cyber threat actors—state-sponsored and independent, organized crime rings, hacktivists, or less-skilled individuals—already use AI to varying degrees. Commonly, AI can enhance efforts to conduct surveillance and social engineering campaigns, making them more effective or difficult to detect.

In 2025 and beyond, AI’s most significant contribution to cybersecurity and risk management will come through the evolution and enhancements of existing and effective tactics, techniques, and procedures. The growing commoditization of AI-enabled cyberattack tools and services will enhance capabilities available to sophisticated cybercriminals and novices, hacktivists, and other less-skilled hackers for hire.

AI’s most sophisticated advancements in cyber threat operations are likely still limited to those with high-quality training data, significant resources, and early cyber and AI expertise. No matter the perpetrators, the NCSC expects AI to make certain cyberattacks more impactful as criminals can increasingly quickly and effectively exfiltrate and analyze data to train their AI models further.

Fortunately, cybersecurity and cyber risk management leaders recognize AI’s significant potential to transform society and impact the world’s technologies. NIST introduced its AI Risk Management Framework and launched the Trustworthy & Responsible AI Resource Center in 2023. The organization’s framework, playbook, roadmap, and other resources can improve the ability to incorporate trustworthiness considerations into designing, developing, using, and evaluating AI products, services, and systems.

Cybersecurity is a high-tech and cutting-edge field, but the most advanced prevention tools and sophisticated detection systems or access controls can still be undone, bypassed, and overridden by simple human error, user mistakes, indifference, or ignoring risk management best practices.

The human element is a significant risk and dangerous threat in cybersecurity because it’s largely unpredictable. Verizon’s 2023 Data Breach Investigations Report says 74% of all breaches involve the human element.

In the 2024 IBM X-Force Threat Intelligence Index, researchers disclosed a 71% year-over-year increase in cyberattacks leveraging employees’ stolen identities or compromised credentials. In monitoring more than 150 billion security events per day, 32% of incidents involve data breaches, theft, and leaks, indicating that financially motivated attackers favor stealing and quickly selling stolen data rather than encrypting it for ransomware extortion.

Security and password hygiene have never been more important. Attackers assuming users’ legitimate digital identities, unbeknownst to them, is one of the trends leading experts expect to see more of in 2024. IBM X-Force cybersecurity leaders expect enterprises to continue seeing more “doppelganger” users popping up within organizations’ internal environments. Slight or sudden abnormal changes in user behaviors may be difficult to detect, but they can be sure signs of compromised accounts and risk management threats.

From mishandling confidential data or sensitive information to falling for a spear phishing campaign or violating privileged access, strict policy controls and employee training efforts can often mitigate insider cybersecurity risks.

Many industries are experiencing increased cyberattacks resulting from supply chain vulnerabilities due to the interconnectivity of and dependency on global supply chains. For many organizations, successful breaches and cyberattacks against their suppliers—or even their supplier’s suppliers—can be just as damaging as attacks on their own networks. 

According to the UK government’s 2023 Cybersecurity Breaches Survey, 55% of larger enterprises and 27% of medium organizations report reviewing their immediate suppliers as part of their cyber risk management strategies. But those numbers plummet to just 34% and 15%, respectively, when examining their wider supply chains. 

The NCSC recommends four essential activities for encouraging collaborative relationships that can enhance cybersecurity risk management between organizations and their suppliers:

1. Map your suppliers. Construct a clear picture of your supplier network, your organization’s third-party risk management assessments, and steps to address cybersecurity posture issues.
2. Communicate across multiple links. Look for opportunities to enhance resilience and raise awareness among suppliers. Inquire about their standards and security needs with subcontractors or third-party vendors. To encourage honest and transparent relationships, challenge customers or consumers to communicate their experiences, challenges, and security needs. 
3. Integrate cybersecurity into contracts and agreements. Ensure basic compliance with minimum cybersecurity requirements in all requests for proposals and supplier contracts. Agreements should include clear details and expectations about what will happen in the event of a cybersecurity incident.
4. Utilize threat intelligence. Develop risk assessments, threat modeling, joint testing exercises, and incident responses with key suppliers and third-party partners. Consider risks, vulnerabilities, and scenarios most likely to target and affect multiple organizations or systems across the supply chain.