Embed Size (px)
Citation preview
Resiliency under Strategic Foresight: The effects of
Cybersecurity Management and Enterprise Risk
Management Alignment
By: Abraham Althonayan & Alina Andronache
CyberSA 2019
Presentation overview
1. Define the scope and value of the study
2 Outline the research gap
3 Discuss key findings
4 Summary and closing remarks
Why organisations are still unsuccessful in applying
effective risk controls at all levels when deploying
online activities or operations?
‘paradox of progress’
Cybersecurity Management
Strategic AlignmentCross-functional governance
Enterprise Risk Management
Organisation
mission, vision
and strategy
Unified capabilities of
risk governance
Risk Control
Risk Oversight
Risk Accountability
Risk Compliance
Risk Knowledge
Risk Effectiveness
Risk Resiliency
Sustainability
Risk Foresight
Resiliency under Strategic ForesightInterconnectivity
Communication
Partnership
‘baseline expectations’
‘mandate managerial directions’
‘establishment of strategic directions’
‘implement managerial directions’
‘monitoring and reviewing practices’
D e l i v e r a b l e s
Ex
tern
al e
nv
iro
nm
ent
Inte
rnal
en
vir
onm
ent
Cybersecurity Management (CsM) is a multi-faceted strategic mechanism that proactively makes use of risk controls and risk oversight
functions ingrained at all levels in order to ensure both value protection and value enhancement across an organisation; it is driven by
organisational strategy and is dependent on variables such as cyberspace, people, practices, processes, assets, technology, and information.
Enterprise Risk Management (ERM)’s purpose is to guide organisations in dealing with risks holistically and respond to uncertainties.
Alignment of CsM with ERM would help in understanding points of interconnections, holistic view of risks (if systemic), break down the
risk to gain more significant insights, deploy risk oversight and create foresight capabilities in controlling, managing and governing risks.
Resiliency Fragility
• unclear theory (fragmented terminology and meanings);
• limited consideration for financial industry;
• granular strategy in risk oversight;
• drawbacks in implementation;
• embedded silo practices;
• contradiction between theory and practice.
• scarce strategic alignment literature that focuses on CsM and ERM;
• low level of maturity in implementation;
• a lack of practical alignment literature guidance;
• weak support of management (top to bottom);
• scarce industry-specific focus.
• immature awareness of effectiveness and performance;
• scarce proofs of lessons learnt from past failures;
• immature applicability;
• implementation drawbacks;
• focused on due care for compliance.
Cybersecurity Management (CsM)
Enterprise Risk Management (ERM)
Strategic alignment
Theory Gap
• Assure holistic governance to risks;
• Avoids duplications (resource allocation);
• Gain competitive advantage/performance;
• Sustains enterprise-wide compliance;
• Optimise cross-domain knowledge;
• Derive value from IT (strategic use);
• Effective strategic prioritisation;
• Increase in business performance;
• Increase resiliency;
• Enhance organizational awareness;
• Reduce costs and time by mitigating losses;
• Determine organisational risk awareness;
• Lower costs/reduce the double effort;
• Real-time visibility in business performance;
• Sustain shared communication;
• Support business strategy and objectives.
Silo vs. Strategic
Cybersecurity : ERM
Enterprise-wide proactive strategySiloed strategy
Advantages of alignment
Technology : Cybersecurity
• Duplicated control functions;
• Duplication of resources and infrastructure;
• Focus on technical aspects (hardware, software);
• Focus on vulnerabilities, not opportunity;
• Fragmented governance;
• Lack of accountability (how effective is);
• Lack of common language;
• Deficiency in holistic communication;
• Deficiency of consensus in IT strategy and ERM strategy;
• Tendency of technical security awareness;
• Lack of strategic use of IT;
• Late risk identification (reactive);
• Misalignment with organisational strategy;
• Departmental silo strategies (double effort, cost, and time consuming);
• Uncertain return on spending;
• Organisational dysfunctions in planning.
(1) (2) (3) (4)
(5) (6) (7)
1) IT: Business
2) IS: Business
3) IT Governance: RM
4) IS: RM: Business
5) IS: ERM
6) CsM: RM
7) CsM: ERM: Business
Implies an approach that focuses on
processes and technology risk
landscape to coordinate relating
operational aspects (rooted in the
technical side).
# Operational
I n f o r m a t i o n Te c h n o l o g y
& B u s i n e s s S t r a t e g y
Addresses and underpins operational and
technical control perspectives in order to
generate resilience and assess information
security risk through a siloed perspective
(information) even though it considers the
security implication of people, facilities,
technology, infrastructure, processes, and
strategy.
# Strategic and Operational
I n f o r m a t i o n S e c u r i t y &
B u s i n e s s S t r a t e g y
Strategic approach to embed IT in
business capabilities.
# Operational, Structural and Strategic
I n f o r m a t i o n Te c h n o l o g y
G o v e r n a n c e & R i s k
M a n a g e m e n t
It takes into consideration an
integration of both theories (IS and
RM) in order to establish a favourable
and safe environment for business.
# Strategic
I n f o r m a t i o n S e c u r i t y ,
R i s k M a n a g e m e n t &
B u s i n e s s S t r a t e g y
Focuses on aligning IS strategy to
enterprise-wide risk oversight
addresses a semi-siloed perspective
when compared with this paper’s
focus.
# Strategic
I n f o r m a t i o n S e c u r i t y &
E n t e r p r i s e R i s k
M a n a g e m e n t
Addresses a semi siloed solution of RM
domain but omits to discuss alignment
enterprise-wide. It applies the principle of
RM and aligns it with business strategy.
#Structural, Strategic and Social
C y b e r s e c u r i t y , R i s k
M a n a g e m e n t & B u s i n e s s
S t r a t e g y
Stream #1: Theoret ical Antecedents (sys temat ic themat ic analys is)
C y b e r s e c u r i t y , E n t e r p r i s e
R i s k M a n a g e m e n t &
B u s i n e s s S t r a t e g y
Alignment of CSM with ERM yields an
avoidance of risk siloed approaches and
reduces organisational exposure owing to
a single, unified mechanism that can deal
with all risk portfolios.
# Strategic, Structural and Social
Research Findings
Research FindingsStream 2: Empirical results*
*results based on 26 semi-structured interviews
R e i m b u r s e m e n t
➢ Compliance (24%)
➢ Competitive advantage (20%)
➢ Resilience (20%)
➢ Organisational effectiveness (14%)
D e t e r m i n a n t s
➢ Internal pressure
• Organisation’s board (14.29%)
• Internal culture (10.20%)
➢ External pressure
• Standards (31%)
• Cyber threats’ velocity and complexity (16.33%)
• Regulatory pressure (14.29%)
I n h i b i t o r s
➢ People-centric
• Lack of awareness (17.91%)
• Lack of employees competencies
(10.45%)
➢ Strategic centric
• Cost (11.94%)
• Silos (10.45%)
• Lack of maturity (24%)
• Regulatory consequences (17.33%)
• Financial loss (16%)
A l i g n m e n t
➢ Consideration for CsM alignment with ERM (69.23%)
➢ Deliverables
• Translating priorities (26.2%)
• Defining a common strategy (16.67%)
• Evaluating/assessing performance (25%)
• Ensures recognition of due care (10.71%)
• Education at every level of implementation (10.71%)
• Ensuring executive level support (10.71%)
➢ Inhibitors
• Skilling deficiencies (13.04%)
• Cultural deficiencies (11.59%)
• Lack of appropriate governance (10.14%)
Empirical data revealed that the alignment of CsM with business strategy can enhance superior risk handling, risk reporting,
analysis, mitigation, and resiliency across all of an organisation.
C s M
Stream #2: Empirical Results (semi-structured interviews)
Research Findings
DISCUSSION AND IMPLICATIONSTheoretical Antecedents & Empirical Results
i. the antecedent of strategic alignment showed a conceptual evolution (IT, IS, RM, ERM, CsM) ─ segregated in various
strands of technical, operational and/or strategic;
ii. overcoming cyber risks holistically is a current issue for organisations;
iii. research is fragmented and thus stimulated reactive cybersecurity in detriment of proactive practices;
iv. the results show that alignment has a positive impact on the achievement of the organisation’s mission, strategy, and
objective;
v. the research identified various factors, approaches, enablers, and inhibitors;
vi. lack of unified risk oversight can have ripple effects due to unclear paths of how controls shall apply to asset valuation,
risk prioritisation, risk reporting, analysis, mitigation, and resiliency;
vii. findings suggests it would be more useful for organisations to carry out alignment, incorporating principles of ERM,
deploying alignment with CsM.
Closing remarks
A focused strategic approach can optimise the effectiveness of risk
oversight and sustain an organisation’s objectives achievement.
Organisational risk oversight is under-researched (reactive,
defensive) and the alignment of CsM with ERM is a justified joint
effort that contributes to the holistic control of risks.
The results of this exploratory paper support an understanding of
risk oversight development whilst articulating gaps in theory and
practice associated with misalignment.
Found evidence that strategic alignment can enact integrated
capabilities to renew and redeploy an aligned risk oversight of CsM
with ERM (instead of siloed and reactive controls).
Strategic risk foresight was found to be a benefit of alignment
CsM with ERM (vs risk control and oversight).
