Proactive Threat Centric Risk Management Banner

Cordon Sanitaire Proactive Threat Centric Risk Management

Working with lines of business to predict future risks, and in so doing open up new business opportunities that offer real competitive advantage. Using our comprehensive proactive threat centric risk management approach and thought leadership service using industry recognised methodologies based on sound theoretical principles addressing Policies, Process and People. Based on the Risk IT principles which extends COBIT (globally recognized IT governance framework) designed to have sufficiently low overhead that it can be used in real, time-constrained scenarios.

  • Retained Services - Adaptive Cyber security implementation guidance for commercial and public sector security requirements.
  • ISV Support Services - Working with Independent Software Vendors reviewing product security and assisting in feature set and roadmap planning to turn security into a selling point.

Risk & Cyber Risk Management Review Scenario

This scenario is based on real case study material. By the very nature of the services Cordon Sanitaire offers to maintain client confidentiality and security it is conditional in all engagements that any references or case studies cannot be directly associated to clients.

Overview

The client engaged us to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis and introduce Cyber Threat Defence Intelligence into the GRC (Governance, Risk and Compliance) methodology.

This was in response to a recognition that over time the overall risk status of the enterprise had changed. The risk assessment was increasingly being influenced by the business use cases for IT, expanding a dependency on public network interconnectivity, without a corresponding adjustment for the evolving Advanced Persistent Cyber Threat operating environment. This practice evolution was in response to a valid need to deliver business performance automation and integration with third party systems and networks for competitive advantage. Demonstrating how easy it was for the business to step over its own risk red lines.

This engagement addresses IT Risk with Cordon Sanitaires Threat Risk methodology to acknowledge the realities of Cyber Security based on the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities. Despite the exclusion from the terms of reference of other risks the enterprise faced, including strategic risk, environmental risk, market risk and credit risk, the IT and Threat Risk assessments adopted a holistic view that included the non-IT dimensions of operational and compliance risk. In many enterprises, IT-related risk is considered to be a component of operational risk and even strategic risk can have an IT component to it, especially where IT is the key enabler of business initiatives. The same applies for credit risk, where poor IT (security) can lead to lower credit ratings. For that reason we undertook the risk assessment phase of the project cognisant of the dependency on IT across other risk categories. The threat intelligence cycle is the backbone of the Cyber approach to traditional IT Risk; as illustrated below:

RiskIT Matrix

In executing this brief a comprehensive risk management methodology was used based on sound theoretical ‘Risk IT’ principles extended with Cordon Sanitaires 'Threat Risk' approach. Risk IT extends COBIT the globally recognized IT governance framework and is designed to have sufficiently low overhead and complexity so that it can be used in real, time-constrained operations. Because of its solid theoretical foundations, it avoids many of the limitations and problems that are common to many other risk management approaches and provides agility to address the ever changing landscape of risk in enterprise.

Objectives

To address the organisational need for:

  1. An accurate view of significant current and near-future IT and Cyber centric risks throughout the extended enterprise, and the success with which the enterprise is addressing them.
  2. End to end guidance on how to manage IT and Cyber related risks, beyond both purely technical control measures and security.
  3. Understanding how to capitalise on an investment made in an IT internal control system already in place to manage IT related risk.
  4. Understanding how effective IT and Cyber Threat risk management enables business process efficiency, improves quality, and reduces Cyber exposure, waste and costs.
  5. Integration with the overall risk and compliance structures within the enterprise.
  6. A common framework/language to help communication an understanding across the lines of business, IT, risk and Threat management.
  7. Promotion of risk and Cyber threat management responsibilities and its acceptance throughout the enterprise.
  8. A complete risk and Cyber threat profile to better understand the enterprises full exposure, so as to better utilise company resources

Deliverables

The project was phased with the following Risk Assessment baselining deliverables:

  1. Risk Governance Report – Establish the organisations Risk appetite and Cyber threat tolerance, responsibilities and accountability for IT and Cyber risk management, awareness and communication, and risk culture.
  2. Risk and Cyber Threat Evaluation Report - Describing business specific impact and risk scenarios.
  3. Risk and Cyber Threat Response Action Plan - Risk Response - Key risk and Cyber Threat indicators (KRI) and risk response definitions and the prioritisation program of works to update the organisations operational risk culture.

Post Script

We were engaged to help document and review core business processes to adjust them in recognition of the resetting of the enterprises risk and Cyber threat based defence profile across the areas noted above. Following which we were retained to provide a continuous watching brief to ensure adjustments were made in response to the ever changing threat landscape.

Contact Us