The important and difficult job is never to find the right answers, it is to find the right question.”
—PETER DRUCKER
The Practice of Management. Should be studied by
all business managers
So what is the right question for managing Technology and Cyber risk management?
Since risk management is identifying the exposure, implementing controls to contain the potential financial and reputational losses within the Risk Appetite, having the resources and plan to rapidly recover from a loss after it happens, and having the right governance to manage these effectively, we will start with exposure. The right question then is: what is the exposure?
A quick search for types of cyber risk on the internet will produce a long list such as
Data breaches,
Phishing attacks,
Malware attacks,
Ransomware attacks,
DDOS attacks,
Password breaches,
Insider threats,
IoT threats,
Cloud risks, etc.
If you search for technology risk the list will include data breaches, cyber-attacks, and system failures.
Familiarize yourself with each of these and test your understanding by explaining each to one of your group members.
After you have completed this exercise, consider the following questions:
Is technology risk and cyber risk the same? From the above, there seems to be at least some overlap.
Can the list be structured as a MECE? Perhaps breaches, attacks, threats?
All you need to know about Cyber Risk:
Cybersecurity management is the application of the ECRG framework to ensure that information is available to whoever is authorized to access the information, that sensitive information is kept confidential, and that the information has integrity.
The State of Cyber Risk Management And Industry Survey by Deloitte
The shift toward remote work and virtual customer engagement in the financial services industry appears to have fueled not only digitalization but also several changes to the cybersecurity landscape. This article takes a fresh look at cybersecurity through the lens of a leadership survey and reveals what changes might be ahead for the sector. Read more
Quantifying Cyber Risk: Factor Analysis of Information Risk (FAIR)
The FAIR approach to quantifying Cyber Risk, see:
the FAIR Institue site is a valuable resource to explore cyber risk topics, especially the quantification of cyber risk:
To my understanding, cyber risk is considered a subset of technology risk because it specifically focuses on the risks associated with the virtual, digital areas of computers, information systems, and the internet. As the scope of technology risk encompasses all forms of risk related to technology, it includes not only cyber risks but also risks related to the failure of technological equipment, errors in the implementation of technology, and risks associated with non-digital data, such as that stored on physical media. To be more specific, cyber risk is inherently digital, concerning threats that emerge from networked systems and the internet. Technology risk includes both digital risks and those associated with non-digital technologies, like industrial machinery not connected to a network.