Cyber risk has become a major risk for companies, which can feel helpless in the face of the evolving nature of the threat and the diversity of attacks. Increasingly diffuse and difficult to apprehend, it requires a global approach and reinforced cooperation that many Risk Managers and IS Security Managers struggle to implement. However, pragmatic solutions do exist to bring stakeholders together to manage this risk, and companies urgently need to mobilize their resources to prepare themselves as effectively as possible.
777 weekly attacks on average in the EMEA region (+36%), 18,000 organizations affected by larisk SolarWinds attack alone, a 93% increase in the number of ransomware attacks worldwide (+300% in France, according to ANSSI), a financial impact of cybercrime anticipated at 6,000 billion dollars in 2021... The latest published figures on the cyberthreat are dizzying [1].
The digitization of the economy and business activities is accelerating, with an ever-increasing number of interconnected Information Systems (IS) in what is now an extended enterprise. At the same time, cyber-attackers are becoming more professional, multiplying their attacks and increasing their technical sophistication, depth and speed. Cybercriminals now target all corporate activities, including core businesses (notably industrial systems, logistics networks, quality or payment systems), and no longer hesitate to use the company’s ecosystem as a relay. These trends have transformed the Cyber risk into a polymorphous risk, more diffuse and more difficult to apprehend, and whose management goes far beyond the technical sphere: the barriers traditionally erected around the company’s IS and managed by an “expert” IS Security Manager (ISSM) have shown their limits. It is imperative to adopt as holistic an approach as possible.
Despite this conviction, which is widely shared by bodies specializing in risk management and cybersecurity (AMRAE, ANSSI…), collaboration around Cyber risk in French companies is still all too often theoretical. Indeed, the report issued by the French Senate in June 2021 deplores a “management silo operation” and “minimalist cooperation” that fails to spread a shared risk culture and a common attitude to the threat. We observe this lack of cooperation on a daily basis at our customers’ sites, particularly between the CISO, the Risk Manager (RM) and the risk carriers at operational level.
The relationship between the CISO and MR functions remains difficult until General Management positions Cyber risk as a strategic risk and imposes reinforced cooperation at a high level. But even when this is the case, the pitfalls persist: RM and CISO have evolved in parallel in their approach to risk, developing their own positioning, frames of reference, methods and criteria. Yet both have complementary resilience and efficiency objectives, and rely on similar information. In particular, both benefit from a total cost view of risk, including the estimation of financial losses and the evaluation of the cost of transfer and protection/detection solutions. This vision enables the CISO to rationalize the security measures to be deployed, by evaluating them in relation to the real stakes involved, and, when the RM is in charge of managing insurance, it is useful for estimating the cost of potential claims and defining the amounts to be transferred or retained.
In addition to the silo structure between CISO and RM, cyber risk management is still too often disconnected from operational risk carriers. We observe that the CISO is still all too often identified as the main person “responsible” for the company’s level of IT security, and that he or she is far removed from the beneficiaries of his or her action: the business lines. This is particularly true when it comes to managing IT projects: many projects are submitted late, and the CISO has to impose constraints that could have been anticipated by raising business awareness. This lack of proximity to operational staff can also be seen on the MR side, notably through insurance programs. In a historically bearish insurance market, many RMs have taken out standard Cyber policies without considering their needs in a concrete, operational way. Now that the market has turned around, some have had to get closer to the business to better understand what’s at stake… sometimes discovering that the Cyber scenarios most feared by the business are excluded or insufficiently covered.
With this in mind, it’s time to bring together the various players involved in cyber risk management. The first step in this direction should be to bring MR and CISO together through a common discourse and tools that are as homogeneous as possible, to gradually establish a shared vocabulary, classification scales and methodologies, enabling them to better understand each other and collaborate. The second step will be to establish a stronger joint relationship with operational staff. Today, business lines are over-solicited by risk management players. Harmonizing approaches to cyber risk can therefore lead to better understanding, stronger support and greater efficiency.
Among the existing approaches to these two stages, ANSSI offers a pragmatic Cyber risk analysis method, which is unfortunately little-known by risk managers and sometimes applied in an overly restrictive way by CISOs: EBIOS RM.
Unrolled in its entirety, this risk management approach helps to meet the challenges of cooperation around Cyber risk in the enterprise. It is designed to be simple to implement, and uses concrete elements, scenarios and graphic tools to facilitate the participation of non-IS security specialists (RM and operational) in the process of identifying and assessing Cyber risk.
EBIOS RM proposes a step-by-step approach, starting with the strategic objectives of the object of study (production site, activity, etc.), and then focusing on the IS components that are essential to achieving these objectives, and the threats that could impact them. At each stage, the most critical elements are identified and priorities set. The concrete approach and the active participation of the business units facilitate the identification of impacts, the development of a cross-functional vision and a better understanding of the issues by all. It gives all stakeholders a sense of responsibility, and encourages dialogue to find the right compromise between operational priorities, risks and management resources (IS security, transfer, etc.). EBIOS RM also enables multiple objectives to be met at different levels (strategic, operational, technical, etc.), by combining a scenario-based approach from a business/strategic point of view, with a study of these scenarios from a technical point of view, and a compliance-based approach (classic assessment of the existing security base).
In the cases of RM/RSSI collaboration we have observed, the EBIOS RM process has enabled concrete progress to be made within a few weeks. Most of the time, the RM used the results to strengthen the overall digital risk management process, a strategic objective of the company. It has also used the scenarios identified and quantified by operational staff to engage in more constructive dialogue with its insurers, and to submit to them elements that are both concrete and technical. As for the CISOs concerned, they were able to capitalize on complex technical scenarios to address their technical objectives of identifying IS vulnerabilities. They also gained greater visibility with operational staff and obtained concrete quantification elements enabling them to make informed decisions on the prevention/protection measures to be put in place.
To face up to the acuteness of the Cyber threat and the vital risk it represents for the company, there is an urgent need to mobilize and de-silo the organization by adopting a cross-functional approach. As the person responsible for risk mapping in relation to all corporate functions, the MR is undoubtedly best placed to play a unifying role and bring objectives into convergence.
Key figures :
777 weekly attacks on average in EMEA by 2021
93% increase in the number of ransomware attacks worldwide
6,000 billion: financial impact of cybercrime in 2021
[1] Sources: ANSSI, Cybersecurity Ventures, Check Point Software Technologies