In the complex landscape of risk management, a common pitfall is the ‘illusion of communication’ – the assumption that everyone is on the same page, when in reality they may not be. The issue becomes particularly pronounced when dealing with broad umbrella terms like cyber risk, IT risk, and privacy risk. Are we talking about the same thing?
Imagine two executives meeting in the hallway. They start having a conversation about ‘cyber risk’. The first is concerned about cyber risk, and missed the last management meeting. The second executive explains that she has spent time reviewing recent reports from the cyber team, and asked a few questions which were quickly answered to her satisfaction. The first executive walks away, feeling a bit more comfortable.
Except… in reality, the first executive was thinking about technology disruption; in the back of his mind recalling several major disruptions in the headlines caused by technical glitches or poor technology change management. The assurance the second executive was referring to came from a team whose focus was only on external malicious threats. Change management may have been quite poor.
In this blog we will cover:
- Basic definitions of the umbrella terms
- How they overlap
- What about information security?
- Using consistent language in your organisation
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
Defining the terms
Risk is the effect of uncertainty of objectives. If we consider cyber risk, IT risk and privacy risk, these can be expanded to:
- Cyber risk: The effect of uncertainty, created by cyber, on objectives.
- IT risk: The effect of uncertainty, created by technology, on objectives.
- Privacy risk: The effect of uncertainty on privacy objectives.
These alone don’t add a lot of clarity on their own. We recommend using risk bow ties to visualise risks, and break them down into causes, events, impacts and controls linked across the bow tie. This approach can also help identify how these different types of risk can interrelate. For example, maintaining privacy should be an objective of any organisation that collects personal information, while cyber risk could have an impact on that objective. Let’s look at each of the terms in a bit more detail.
A dictionary definition of cyber implies computers. To the layperson, it is commonly synonymous with external threats and malicious actors. This may result in theft or destruction or data, disruption due to threats such as encryption and ransomware, or expand into digital supply chain attacks. Cyber risk also typically includes insider threats, or accidental failures that result in breach of confidentiality.
IT risk can encompass both operational and strategic risk. Strategically, are you investing in the right amount and type of technology to provide exceptional services and products? If you don’t, it might not matter how secure your systems or data are. Operationally, poor change management related to technology can cause disruptions or impact on the integrity of data.
Privacy refers to appropriate collection, use and protection of personal information, often considered in conjunction with applicable regulations. This information might be stored digitally or physically. Breaches of privacy can include unauthorised release of personal information, but can also include using their personal information inappropriately.
How are they connected?
Here are some examples of more specific risks or scenarios that illustrate each of these in isolation, and how they might overlap.
- IT: Obsolete technology that doesn’t support strategic objectives, resulting in inefficiencies or list opportunities.
- Cyber: Cyber intrusion, resulting in disruption to systems, causing operational challenges.
- Privacy: Using personal information for an unauthorised purpose, resulting in compliance breaches and reputational impact.
- IT and cyber – End of life technology resulting in vulnerabilities.
- Cyber and privacy – Cyber intrusion, resulting in unauthorised release of personal information.
- IT and privacy – System failures that result in information being used for an unauthorised purpose, e.g. data accidentally made available to systems that conduct research and analysis after the customer has opted out.
While each risk can be considered alone, like many risks they are also interconnected.
Where does information security come in?
Information security takes a more complete approach to managing information, no matter how it is stored or communicated. Definitions of information security focus on the CIA triad – confidentiality, integrity, and availability of information. By focusing on these three properties, common information security or cyber security frameworks provide coverage across not just cyber, but broader privacy and technology risks as well.
Protecting confidentiality also protects personal information from unauthorised disclosure. Maintaining integrity of data helps protect against external threats while ensuring personal information remains accurate – and therefore continues to be used for its intended purpose. Maintaining availability is consistent with both protecting against malicious actors as well as accidental or technical issues that give rise to disruption.
Having a well-implemented Information Security Management System can enable you to address these overlaps, and integrate into your broader Enterprise Risk Management framework.
Conclusions and next steps for your organisation
We don’t propose you have to use any of our definitions (don’t worry, popular information security and cyber standards aren’t always aligned either). The outcome you need to pursue is effective management of your risks – whatever you call them. To support that, you need to ensure that everyone in your organisation is talking the same language, and you have the right tools.
Here are some ways to achieve that:
- Support definitions and boundaries around key terms in policies and training
- Use risk bow ties to break down and communicate risks. Asking the questions ‘but why’ and ‘what next’ will help align people on the scope of the risks you face, and how they are being managed
- Implement an Information Security Management System that tracks your assets, related risks and controls, aligned with your taxonomies and definitions
If you’d like to know more about how to align your cyber, IT, privacy, information security, and enterprise risk management strategies, Protecht's on-demand webinar Speaking the same language: Bringing IT and cyber to your enterprise risk view offers a deep dive into these areas, providing strategies, insights, and best practices for organisations.
Join Protecht’s Cyber Security Lead Mike Franklin and our Research & Content Lead Michael Howell for an informative and insightful webinar that brings ISMS into an overall enterprise risk management approach. From understanding the language of IT and cyber risk to the building blocks of resilience, this webinar provides actionable insights for executives, risk managers and cybersecurity experts alike: