(Expansion) – Derived from the COVID-19 pandemic, cybersecurity has become a critical success factor and not just a discipline in the corporate world. According to the latest EY Global Information Security Survey, only 18% of companies consider that information security influences their strategic planning on a regular basis and for 55% it influences little or nothing in their corporate strategy .
It should be noted that cyber risk management is one of the pillars of risk management discipline today. A properly implemented strategy of this type has a significant economic impact on the company’s revenue.
However, it is observed that currently many companies do not have a true representation of their cyber risk profile. And, when they do, it’s not structured in an easily digestible way for top brass. This hinders the decision-making process by the Board of Directors and permanently exposes the company’s information, which could easily be compromised in a cyberattack.
An advantage of having a risk management strategy is that it adds value in monetary terms to the potential impacts, which allows the company to make better decisions more quickly. However, currently, only 32% of CISOs use the space with the Board of Directors to discuss forward-looking issues, related to cyber risk management and drive change.
Some of the most relevant challenges that organizations currently face in the digital plane are the high dependence on information technology, which is increasingly used to support business operations (especially in the field of information technology). financial), as well as the use of emerging technologies (eg: cloud computing, blockchain , artificial intelligence), which increase the risks to which organizations are exposed.
In this context, it is important that, for a proper cyber risk management strategy, the organization first identifies what its information assets are, that is, those that have value for the organization in relation to its customers, employees, products and services. For example, in the case of a bank, it would be credit cards and their ATM channels (automated teller machines), to say the least; which could be violated by a cyber attacker if they are not properly protected.
After knowing the different information assets of the company, a fundamental aspect is to identify their vulnerabilities or weaknesses, which are present in the technological components that support said information assets, for example: databases, servers and networks where company data is supported.
In the ideal world of risk management, the idea is that every company is clear about its information assets. These are based on a large number of technological elements, which are permanently exposed to constant threats and vulnerabilities that translate into risk scenarios.
If these vulnerabilities are not properly addressed, the economic impacts for the organization can be significant, as well as reputational; the latter can be translated into a loss of trust on the part of customers or consumers towards the organization.
Editor’s Note: Juan Fernández is a cybersecurity partner for Financial Services at EY Mexico. Follow him on. The opinions published in this column belong exclusively to the author.