Cyber risk check up: Willis Towers Watson’s top 9 steps for greater cyber resilience

Both NIST and ISO authorities have emerged as globally accepted baselines that provide roadmaps for building comprehensive cyber risk management programs. By using either or both of these industry best practices to assess where their cybersecurity is strong or needs improvement, organizations can make more informed decisions about where to allocate limited resources to ensure maximum security impact.

Every organization should create its own register of cyber incident scenarios and cyber risks relevant to them and determine how existing and planned cyber risk controls work to reduce their occurrence. Organizations need to take into account their industry sector, the data they hold, the cyber incidents that they and their peers have experienced, and their own cybersecurity maturity in order to model cyber risk scenarios relevant to their operations. In so doing, organizations can strike a fully aligned and cost-effective balance among their risk prevention, risk mitigation, and risk transfer strategies that help boost true cyber resilience. Comparing and contrasting the likelihood and consequence information in a centralized Cyber Risk Register helps guide the development of a highly effective Action Plan and a defensible cybersecurity budget.

Effective cybersecurity can’t happen in a technical vacuum that isn’t aligned with overall business objectives. Organizations instead should identify their priority cyber risks by listening not only to CISOs and CIOs but also to other key leaders who know their businesses best – the CFO, the CRO, the General Counsel, the HR lead, and additional influencers in authority positions. By taking a cross-functional approach, organizations put their cybersecurity work into a more relatable “impact on operations” context, garner essential support across the enterprise, and increase an organization’s chances for lasting cybersecurity success.

Human-caused cyber incidents proliferate in environments where leaders “talk the talk” about cybersecurity but don’t “walk the walk” themselves, fail to hold employees accountable for poor cyber hygiene, and neglect to set clear expectations for cybersecurity behavior. Organizations therefore should ask managers – at all levels – how they’re promoting cybersecurity across their teams and then check separately with those teams on the answers. Organizations should direct competency development, performance management, and other appropriate leadership investments to wherever disconnects between these two populations are consistently found.

As a first step, organizations should identify the subset of the workforce for whom the training is not working so customized content can be directed to that population specifically. Organizations should also work to understand what environmental factors – social, psychological, and otherwise – are preventing employees from gaining the cybersecurity knowledge they need. As such, many organizations run cybersecurity awareness campaigns that fail to make cyber risk management relevant to the day-to-day work of their employees. Organizations should ask themselves if the messages they’re sending are communicated in ways that ensure that different workers with different roles and responsibilities understand not only the dangers of cyber risks but also what they personally can do to prevent and/or mitigate them. Tailoring cybersecurity communications this way promotes both cybersecurity accountability among individuals and good cybersecurity behavior across the board.

61% of all cyber incidents are caused directly by an organization’s employees – either through negligence or intentional malicious activity. Boards of directors have become increasingly aware of this statistic and are adjusting their cybersecurity budgets in response to address this human element of the risk. To do so effectively, organizations need to pinpoint which of their workers are struggling most to do the “right cyber thing”. Once they’ve identified those populations, HR leaders can pursue targeted solutions that bring them into the fold while improving the overall cyber risk culture for everyone.

If an organization’s cybersecurity policies, procedures, and technologies aren’t easy to apply and/or use, employees invariably will find work-arounds so they can get their jobs done. Those work-arounds, however, often open up entirely new and unforeseen cyber vulnerabilities. Organizations must strive to strike the right balance between protecting their sensitive data, systems, and other assets while enabling their employees to successfully complete their daily duties.

In today’s job market, there simply aren’t enough talented cybersecurity professionals available to meet demand. Without them, organizations face cyber losses that are likely to be exponentially worse than if they had the right people with the right skills on staff. Organizations should develop a clear sense of what job functions and skill sets are most critical to address their particular cyber risk circumstances – now and into the future – so they can develop the targeted recruitment and retention strategies they need for their protection.

Cybersecurity insurance is an essential part of any comprehensive cyber risk management program. Organizations should be smart consumers of such policies by first determining their cybersecurity gaps and then taking responsive prevention and mitigation steps that make economic sense. For the residual cyber risk that remains, customized insurance policies serve as powerful transfer mechanisms that help impacted organizations not only survive serious incidents but also thrive in their aftermath.