Virtualization Technology News and Information
Risk Management and Cybersecurity go hand in hand in preventing brand loss caused by Data Breach

By Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice, Infosys

Branding plays a critical role in business growth, especially in an age of relentless innovation and little differentiation between products. Studies have shown that when consumers are asked to choose, they are far more likely to select a brand they recognize and trust. Customers also seek greater personalization in their interactions and are often willing to part with personal data to enable it. Companies are leveraging this data, especially on digital platforms, to offer highly differentiated experiences to customers.

As the volume of data exchanged with brands goes up, the impact of data breaches on brand reputation becomes even more significant. A recent Infosys study indicates that a data breach can cause 65% of consumers to lose trust, while 85% would choose to stop engaging with the organization. Given this, discussions on security transcend the CISO's office and become part of board room discussions.

The immediate impact of a data breach manifests by way of negative perception, reduced engagement, and loss of trust. It can also draw the attention of regulators, investors, and shareholders. These factors drive home the importance of risk management and the role it can play in addressing reputational risks arising out of Cybercrimes.

The CISO and the CRO share a common goal of minimizing risks and their impact

There are typically two ways to managing reputational risk in an organization. One is to recognize it as a separate risk and therefore look for root causes that may trigger such threats. The other approach is to view reputational damage as a consequential impact, requiring one to trace back the risks that could cause brand value loss. The Risk Management Society or RIMS, a global not-for-profit organization committed to advancing the practice of risk management, accepts both approaches as valid.

Irrespective of the approach an organization adopts, it is essential to ensure that the CISO and the CRO are aligned in their objectives. They both must aim to reduce the impact of cyberattacks on the brand of a business.

Typically, the cybersecurity team is responsible for strengthening the security posture of an organization along with ensuring compliance with data privacy and IT security mandates. The Enterprise Risk Management team, on the other hand, drives the risk management strategy wherein they manage the various risks that an organization may be exposed to at acceptable levels. One of the many risks they cover is Cybersecurity risks with reputational impact as a key impact parameter. Despite their different departmental goals, they can complement each other in risk detection, assessment, and remediation of risks related to Cyberattacks. A shared objective with clearly defined roles and responsibilities can ensure an organization is well prepared for any breach - in detection, prevention, remediation, and progressive correction of their Cyber strategy.

Managing Cyber Risks from a brand perspective - Assessment, Mitigation, and Governance

There are three primary steps to managing cyber risks.

Risk Assessment

Risk Assessment generally comprises three phases - Identification, Analysis, and Evaluation. Data collection, identifying vulnerabilities and threats, identifying key risk scenarios and risk indicators, understanding data criticality, threat capability, the likelihood of occurrence, and the possible impacts of risk materialization are significant aspects of this stage. Identifying data that is critical and needs to be protected and analyzing the fallout of a data breach, such as negative media coverage, loss of stakeholder confidence, and customer trust, are vital elements to consider.

The reputational impact is assessed exclusively and calculated as part of risk impact assessment. Proactive analysis on global data breaches and cyber-attacks done periodically to review the exposure, susceptibility, and resilience to such attack vectors helps organizations prepare and implement preventive measures.  

Risk Mitigation

Prioritization of risks based on the risk assessment and cost-benefit analysis is the first primary step to plan risk mitigation. The cybersecurity team with help of other functions handles cyber risk mitigation by implementing layers of preventive, detective, and corrective controls with defence-in-depth approach supported by well-defined processes and governance routines. These cyber controls and related processes are monitored, measured, and improved continuously. 

A robust and comprehensive cybersecurity program managed by a dedicated enterprise cybersecurity team is imperative to any organization for effective cyber risk mitigation.

Sustained compliance and alignment to industry standards and best practices such as ISO 27001, ISO 31000, NIST Cyber Security Framework, ISF Standard of Good Practice for Information Security strengthens an organization's security posture and ensures cyber risks are managed and governed effectively.

The risk management activities can be automated and further structured by integrating the process into the Governance, Risk, and Compliance solution. This will ensure a systemic approach and effective management of risk mitigation.


The responsibility of risk governance lies with the cybersecurity team, the enterprise risk management team, the executive leadership, and the board.  Governance includes assessing the inherent, current, and residual risks and tracking the progress of mitigation efforts. In addition, it also involves identifying any new risks resulting from mitigation efforts and addressing them suitably. Given the broad scope, risk management is evolving to become a crucial part of strategy and decision-making. The cybersecurity risk management framework must be aligned to the Enterprise Risk Management (ERM) methodology. Critical cybersecurity risks are reported to the board every quarter, with a focus laid on bringing the risk levels down by implementing the identified mitigation measures. Inculcating a risk-aware culture across the organization enables a risk-based approach, and informed decision-making at all layers.


The role of Enterprise Risk Management teams has evolved from being gatekeepers to becoming enablers of strategy and decision support systems. Their work extends beyond anticipating, identifying, and managing risks to facilitating better decision-making by executive leadership.



Vishal Salvi 

Vishal Salvi is Senior Vice President, Chief Information Security Officer and Head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cyber security strategy and its implementation across Infosys Group. He is additionally responsible for the Cyber Security Business Delivery, driving security strategy, delivery, business and operations enabling enterprises security and improving their overall posture. With over 25+ years of industry experience in Cybersecurity and Information Technology across different industries, Vishal has extensive management and domain experience in driving transformation Cybersecurity programs, delivery and sales in all key areas. He is part of various Advisory Councils and Boards to provide leadership and direction on various Cybersecurity frameworks and standards to drive adoption of cyber security across industry. 

Published Friday, June 11, 2021 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2021>