The fact that many organizations have little or no IT governance program is quite surprising—especially when there’s a steady flow of daily data breaches making the news.
We looked to the Global Cyber Risk Perception Survey by Marsh and Microsoft to figure out what cyber risks are top of mind with IT execs. The data showed that the risks which have the highest potential impacts on the business include (in order):
These cyber risks are all very significant and could damage an organization—possibly to the point of collapse. So it was surprising to learn that one-third of IT execs surveyed by Deloitte admit they have little or no IT governance process in place.
So, the risks have been determined. Now what?
Identifying associated risks
The next step is to identify associated risks for each cyber risk. These are possible events that would increase the likelihood of the cyber risk to occur.
For example, a cyber risk from our list is business interruption. Associated risks could include things like:
If any or all of these associated risks happen, the likelihood of experiencing business interruption increases significantly. So how do we prevent, or at least monitor, the likelihood of the associated risks?
Using KRIs to monitor associated risks
Key risk indicators (KRIs) help monitor and control risks—like the ones we’ve listed above.
A risk indicator can be any metric used to identify a change in risk exposure over time. They become KRIs when they track a critical risk, or do so especially well because of their predictive value. It’s ideal if they do both.
There are a few characteristics that make up a good KRI. The indicator/data would be:
It’s important to note that each organization will have unique enterprise or organizational risks, just like each IT department will have their own set of priority risks. And, subsequently, no IT teams will have the same KRIs.
Using the example of business interruption, some KRIs we’d recommend include:
Soon we’ll be releasing a full white paper with more information on how to create your own KRIs, including 10 more examples of KRIs related to these top cyber risks. In the meantime, read up on Information technology governance: best practices to prevent data breaches.
In this 22-page eBook, you’ll learn how to:
- Identify and assess IT risks and map them to controls
- Plan, scope, and stress test micro risks
- Assess the effectiveness of existing controls
- Capture, track, and report deficiencies
- Create a continuous cycle of testing, monitoring controls, and addressing exceptions.