Today, risk is the main cause of uncertainty in any organization. Both internal and external influences make it hard to predict if, when, and to what extent corporate objectives will be achieved or exceeded. As a result, companies are placing more focus on identifying risks and managing them before they even affect the business.
However, we face a plethora of risk pressures and complexities in today’s turbulent economic climate, so much so that it is difficult to determine the sheer volume of risk that is present across a business.
Whether in cybersecurity, operational technology (OT), or supply chain domains, common problems and themes begin to emerge when you assess and manage risk with quantitative analysis. First, let’s take a look at the common barriers to risk analysis in these three areas:
Cybersecurity Risk
Recent cyber breaches have proven that cybersecurity is a real and present danger to most companies in today’s digital age. Even traditional non-IT-reliant companies – including those in the mining and manufacturing industries, for example – are increasingly connecting OT to their IT networks and thereby exposing data and systems to the risks associated with cyber threats. In fact, research shows that the biggest risk currently facing companies today is cybersecurity-related.
Potential threats in the cyber arena demand more effective measurement and management of risk. Without this, organizations will find themselves hard-pressed to keep on top of security spend. Yet, frequently used methods for qualitative risk analysis often fail to deliver defensible results, with a lack of data making it difficult to determine how often cyber loss events occur. Inconsistent terminology and definitions of risk can also make communication with various executives and stakeholders a challenge.
Supply Chain and Third-Party
Supply chain and third-party risk are two closely related areas. When it comes to the supply chain, this encompass supply chains for IT hardware and software products, as well as supply chains for non-IT related products. Third-party risk, on the other hand, generally refers to the process of outsourcing business functions in industries such as financial services or government.
Regardless, both supply chain and third-party risk refers to the complex web of providers or suppliers that can be used as a stepping stone to target your business. Unfortunately, relying on a third-party in the development and delivery of hardware, software, and services, will also mean that your organization inherits ownership of risk from the organization in question.
The challenge here is that organizations often rely on point-in-time assessments that are based upon questionnaires, to determine security and risk posture. As a consumer of hardware, software or services, it is also difficult to compare risks from multiple potential suppliers; preventing the consumer from self-sufficiently measuring risk in third-party suppliers. This makes it almost impossible to have adequate visibility into your real-time risk posture.
Operational Technology
Last but by no means least, OT refers to the control systems used to manage plant environments to automate and optimize operations and ensure safe operation. The majority of today’s control systems employ contemporary technologies, which do bring an additional layer of risk. The main risk here centers around the lack of data that determines the frequency of occurrence for common cyber loss events in the control systems area.
Not only that, but control systems components can have a particularly long lifetime, and many were not designed with today’s threat landscape in mind. This often means that in OT plant environments, it can be difficult to distinguish between physical, cyber, and cyber-physical threat events.
Traditional IT security concerns – including confidentiality, integrity, and availability – are also important in control system environments. Yet, the most significant risks to OT stem from safety concerns, which are not usually associated with IT. While control systems have traditionally placed emphasis on safety of the plant environment, cyber threats do have an impact on safety as they pose significant threat to plant productivity.
The Solution? Quantitative Risk Analysis
From a cybersecurity perspective, Open Standards can be used to provide a proven, consensus-based methodology for the application of quantitative risk analysis, allowing for effective measurement that offers more validity.
In supply chain security, for example, the Open Trusted Technology Provider Standard exists to help providers of IT products to utilize a quantitative approach to risk analysis. This enhances the manufacturers ability to identify how much risk is present and determine which third party is the weakest link within their supply chain.
In OT environments, however, risk evaluation methodologies like Bow-tie are often used to relate hazards, threats and mitigating controls. To enhance this technique, the addition of quantitative risk measurement (for example the Open FAIR standards) will enable OT decision makers to more accurately evaluate which risks are worthy of mitigation.
Although the measurement and management of risk has long been recognized as an important organizational responsibility, the hyper-complexity of today’s business environment has catapulted it to the forefront of the minds of senior executives. Whether an organization is concerned with cybersecurity, supply chain/third-party, or OT risk – or all of the above – quantitative measurement is the key to managing risk well.
Not only will this empower more accurate analysis and improved decision making, but it will also provide defensible risk analyses to enable better communication with executive management. Only once these techniques are in place will we truly be able to understand a company’s exposure to risk, which is the first step toward developing a healthier business.