By Vishal Salvi, Chief Information Security
Officer & Head of Cyber Security Practice, Infosys
Branding plays a critical role in business growth, especially in an age
of relentless innovation and little differentiation between products. Studies
have shown that when consumers are asked to choose, they are far more likely to
select a brand they recognize and trust. Customers also seek greater
personalization in their interactions and are often willing to part with
personal data to enable it. Companies are leveraging this data, especially on
digital platforms, to offer highly differentiated experiences to customers.
As the volume of data exchanged with brands goes up, the impact of data
breaches on brand reputation becomes even more significant. A recent Infosys
study indicates that a data breach can cause 65% of consumers to lose trust,
while 85% would choose to stop engaging with the organization. Given this,
discussions on security transcend the CISO's office and become part of board
room discussions.
The immediate impact of a data breach manifests by way of negative
perception, reduced engagement, and loss of trust. It can also draw the
attention of regulators, investors, and shareholders. These factors drive home
the importance of risk management and the role it can play in addressing
reputational risks arising out of Cybercrimes.
The CISO and the CRO share a
common goal of minimizing risks and their impact
There are typically two ways to managing reputational risk in an
organization. One is to recognize it as a separate risk and therefore look for
root causes that may trigger such threats. The other approach is to view
reputational damage as a consequential impact, requiring one to trace back the
risks that could cause brand value loss. The Risk Management Society or RIMS, a
global not-for-profit organization committed to advancing the practice of risk
management, accepts both approaches as valid.
Irrespective of the approach an organization adopts, it is essential to
ensure that the CISO and the CRO are aligned in their objectives. They both
must aim to reduce the impact of cyberattacks on the brand of a business.
Typically, the cybersecurity team is responsible for strengthening the
security posture of an organization along with ensuring compliance with data
privacy and IT security mandates. The Enterprise Risk Management team, on the
other hand, drives the risk management strategy wherein they manage the various
risks that an organization may be exposed to at acceptable levels. One of the
many risks they cover is Cybersecurity risks with reputational impact as a key
impact parameter. Despite their different departmental goals, they can
complement each other in risk detection, assessment, and remediation of risks
related to Cyberattacks. A shared objective with clearly defined roles and
responsibilities can ensure an organization is well prepared for any breach -
in detection, prevention, remediation, and progressive correction of their Cyber
strategy.
Managing Cyber Risks from a brand
perspective - Assessment, Mitigation, and Governance
There are three primary steps to managing cyber risks.
Risk Assessment
Risk Assessment generally comprises three phases - Identification,
Analysis, and Evaluation. Data collection, identifying vulnerabilities and
threats, identifying key risk scenarios and risk indicators, understanding data
criticality, threat capability, the likelihood of occurrence, and the possible
impacts of risk materialization are significant aspects of this stage.
Identifying data that is critical and needs to be protected and analyzing the
fallout of a data breach, such as negative media coverage, loss of stakeholder
confidence, and customer trust, are vital elements to consider.
The reputational impact is assessed exclusively and calculated as part
of risk impact assessment. Proactive analysis on global data breaches and cyber-attacks
done periodically to review the exposure, susceptibility, and resilience to
such attack vectors helps organizations prepare and implement preventive
measures.
Risk Mitigation
Prioritization of risks based on the risk assessment and cost-benefit
analysis is the first primary step to plan risk mitigation. The cybersecurity
team with help of other functions handles cyber risk mitigation by implementing
layers of preventive, detective, and corrective controls with defence-in-depth
approach supported by well-defined processes and governance routines. These cyber
controls and related processes are monitored, measured, and improved
continuously.
A robust and comprehensive cybersecurity program managed by a dedicated
enterprise cybersecurity team is imperative to any organization for effective cyber
risk mitigation.
Sustained compliance and alignment to industry standards and best
practices such as ISO 27001, ISO 31000, NIST Cyber Security Framework, ISF Standard
of Good Practice for Information Security strengthens an organization's
security posture and ensures cyber risks are managed and governed effectively.
The risk management activities can be automated and further structured
by integrating the process into the Governance, Risk, and Compliance solution.
This will ensure a systemic approach and effective management of risk
mitigation.
Governance
The responsibility of risk governance lies with the cybersecurity team,
the enterprise risk management team, the executive leadership, and the
board. Governance includes assessing the
inherent, current, and residual risks and tracking the progress of mitigation
efforts. In addition, it also involves identifying any new risks resulting from
mitigation efforts and addressing them suitably. Given the broad scope, risk
management is evolving to become a crucial part of strategy and
decision-making. The cybersecurity risk management framework must be aligned to
the Enterprise Risk Management (ERM) methodology. Critical cybersecurity risks
are reported to the board every quarter, with a focus laid on bringing the risk
levels down by implementing the identified mitigation measures. Inculcating a risk-aware
culture across the organization enables a risk-based approach, and informed
decision-making at all layers.
--
The role of Enterprise Risk Management teams has evolved from being
gatekeepers to becoming enablers of strategy and decision support systems.
Their work extends beyond anticipating, identifying, and managing risks to
facilitating better decision-making by executive leadership.
##
ABOUT THE AUTHOR
Vishal Salvi is Senior Vice President, Chief Information Security Officer and Head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cyber security strategy and its implementation across Infosys Group. He is additionally responsible for the Cyber Security Business Delivery, driving security strategy, delivery, business and operations enabling enterprises security and improving their overall posture. With over 25+ years of industry experience in Cybersecurity and Information Technology across different industries, Vishal has extensive management and domain experience in driving transformation Cybersecurity programs, delivery and sales in all key areas. He is part of various Advisory Councils and Boards to provide leadership and direction on various Cybersecurity frameworks and standards to drive adoption of cyber security across industry.