Risk Manager’s Pivotal Role In Effective Technology And Cyber Risk Management
The presence of cyber threats in this digital era is now even more prevalent and sophisticated, as evident from the increased frequency of cyber-related incidents featured in news headlines. With organisations pursuing more digitalisation initiatives, investing in state-of-the-art technology solutions remain critical to stay on top of the game. But how can these technology and cyber threats be better managed through the lens of a risk manager?
From my observations, it is evident that technology and cyber risks have been elevated to the principal risk level and prioritised by senior management in many organisations. Risk managers play a pivotal role in influencing effective technology and cyber risk management through three core elements - People, Process and Technology.
- “Humans are the weakest link”. We often hear this as the root cause for phishing and ransomware attacks. In order to prevent such occurrences, risk managers can lead regular social engineering testing as a form of training for staff. This enables staff to be trained to recognise phishing email indicators, thereby elevating the organisation’s cyber risk awareness.
- Identifying data types. Risk managers can facilitate data exploration exercises to identify the different types of organisational data while classifying them based on sensitivity. Based on the different data classification levels, controls for each level can be introduced. This provides the opportunity for staff to be trained in handling sensitive data during their course of work.
- Up-to-date policies and standards. Policies and standards covering technology, information and cyber risks must be updated as this ensures that systems, and new products and services are in compliance with regulatory requirements. In instances of non-compliance, the IT custodians and risk owners have to perform a risk scenario analysis to determine the risk severity, and formulate the required action plans. Based on the outcome and quality of the risk assessment, risk managers can engage in constructive challenge when it comes to assessing whether the risk item is within the organisation's risk appetite.
- Adopting the “least privilege” principle. Risk managers should perform periodic reviews to ensure that staff’s access to confidential information is controlled and based on assigned roles with clear segregation of duties. In addition, on the IT architecture front, the zero-trust security model should be adopted where all users within or outside the organisation’s network have to be authenticated, and continuously validated for security configuration and posture before being granted access to applications and data.
- Performing thematic reviews. Notwithstanding the reviews on general IT controls, organisations can perform thematic reviews against processes and controls listed in the guidance documents issued by regulators and professional bodies. A gap analysis allows risk managers to have a better understanding of the organisation's technology and cyber posture, thus allowing them to identify areas of improvement.
The following are examples of guidelines issued by the Monetary Authority of Singapore:
- Oversight on service providers. With the increasing reliance on service providers to provide critical business functions, the IT infrastructure and external service providers have inevitably become part of an organisation’s risk environment. Risk managers can independently assess and ensure adequate internal controls are established in the service provider’s IT environment.
- “What to do” manuals. Risk managers play a critical role by ensuring that the incident response and business continuity plans are tested and updated regularly. In addition, conducting cyber tabletop exercises ensure that all stakeholders, including service providers are well-coordinated to respond swiftly and decisively in the event of a cyber-attack or service disruption.
- Regular system “health checks”. Conducting periodic vulnerability scanning and penetration testing enable risk managers to identify and prioritise critical and exploitable system vulnerabilities for remediation. In addition, risk managers can proactively ensure that their IT inventory is up-to-date and provide the necessary support for technology refreshment exercises, which will address ongoing concerns on technological obsolescence.
- Lines of defence. An organisation's defence-in-depth strategy should be determined and evaluated periodically to ensure that cyber threat playbooks and tools are synergised to respond promptly. More importantly, adequate controls and defence mechanisms must be in place to protect the organisation's crown jewel – its sensitive data.
- Emerging technologies. In the pursuit of emerging technologies such as artificial Intelligence, 5G and Internet of Things, risk managers should keep abreast of new technology risks. Building collective insights and keeping up with the latest cybersecurity trends allow risk managers to effectively manage emerging cyber threats.
The presence of risk managers ensures that there is constant value-add across these three core elements at the organisational level. This multi-pronged approach in managing technology and cyber risks strengthens an organisation’s resilience against the ever-evolving cybersecurity threat landscape.
Koh Tee Chuan is an Assistant Vice President, Information Security and Digital Risk Management, OCBC Bank. He is a member of IIA Singapore Young Professionals Working Group.