Managing the Organization’s Cyber Risk Appetite
Introduction
Managing risks for organizations with different disc0lines and sizes is a balancing act. Some organizations take too much risk while others do not take any risks. Failure to take caution concerning the management of risks may expose the company to cybersecurity threats. Cybersecurity is today being reviewed by corporate directors and in many times discussed with financial analysts who argue that cybersecurity risk as a paramount and imminent business risk. Given the fact that the failures of cybersecurity may be damaging to the brand reputation and damaging to business revenues, organizations such as Organix must take appropriate measures that secure its business from cyber-attacks and breach of data. In this regard, this paper provides an adequate approach as to how to manage the organization’s appetite for risk.
Analyzing IS/IT Risks in Organix Pty Ltd
Organix is a small medium-sized company that specializes in production and sales of health supplements as well as food especially organic foods in Australia. There has been increased demand for the food and health supplements in Australia and the surrounding regions. In earlier years the company used an online platform to sell its products. The company has been growing rapidly through various partnerships with various businesses as well as expansion into the overseas markets. There are, however, serious problems concerning data management as well as to its information system and information technology platforms. The data center that is located in the east wing of the Southbank headquarters that had been meant to support and also drive various aspects of the operations of the organizations has been found to have a redundant backup facility that is linked to outside with high-speed broadband connections.
More so the corporate system has been found to have patches and extensions due to the growth of the company’s business. These extensions are however not well integrated with the Enterprise Systems and could feed the information and draw data and information from the main databases. Due to lack of documentation of the Enterprise Systems the contractors created workarounds solutions other than developing the integrated solution. These issues have created business problems. Several project initiatives and businesses have to be rescheduled and postponed because the Enterprise System is not able to cope with the projected demands and the proposed initiatives.
The corporate system is also inadequate in that it is not able to provide the organization with complete, timely, and accurate information as requested by the potential partners in Japan and the U.S. However, the Business Information Systems Manager of Organix has been refuting these claims. The Board of Directors was also ignorant of these issues until recently when the CEO asked the Business Systems Manager to explore the idea of replacing the corporate system for the future growth of the organization.
The other problematic issue that relates to IS/IT infrastructure is the idea of having a proper HR functionality as part of the new system in the organization. This system would be provided by the SaaS provider in the United States. This idea has been suggested by the HR specialists, However, there are concerns as to why the server and the data center should be located in the US as the list of clientele is not so gig to warrant an infrastructure presence in the U.S. However, the HR managers seem to care less about these concerns. This is itself a problem as it risks the privacy of its data.
The marketing department is also in the process of acquiring its system after learning the HR functionality system. The marketing department plans to adopt its budget to facilitate this system from the SaaS provider. The problem is that they fail to engage in the right direction with the business information system department. More so, they have refused to engage in consultative discussion with the business information department as they see it as incompetent when it comes to issues related to IS/IT systems.
………..argues that the most important things that an organization engages to drive its performance as well as to execute operations tend to be the same things that create cyber risks. Some of the issues that lead to global risks include mergers, acquisitions, globalization, and extension to third party networks as seen in the case of Organix where it extends partnership with other corporations including sharing of the data and moving to the cloud. Cyber risk exists tend to happen at business risk, technology, and regulation. Decision-makers such as the Business information system department must understand fully the magnitude of such risks. Accordingly, organizations must factor in the cyber into their risk appetite while explicitly defining the cyber risk level that they are likely to accept.
This executive briefing paper provides a foundation for the companies and organizations to understand better cyber risk and how to deal with risk appetite in Organix Pty Ltd. Risk management is typically a process that identifies the effects of the various risks to the business and provides an effective plan as to how the organization can respond to risks if they become a reality. It is vital for all organizations regardless of their sizes to develop the cybersecurity risk management plan. However, not all risks can be eliminated even if a risk management plan is in place. Each organization must develop a cybersecurity risk management plan.
The burden of ensuring that there is cybersecurity in an organization should not lay on the security or IT departments entirely. All the employees in the organization should be aware of the likely risks and be trained to be responsible for preventing the breaches in security. Security plans should consider only the software and hardware but also consider human factors. A research conducted by Verizon on data breaching in 2018 has shown that about 93% of the data breaches are majorly caused by phishing. Guarding against these human factors requires that the right training and tools be used to develop an effective organizational culture of cybersecurity.
In many cases, cybersecurity management and staffs view risks from a certain viewpoint as is the case for Organix where the marketing and human resource departments have failed to follow due procedure in ensuring that they have a secure functionality system in their departments. They go further by ignoring the expertise of the Business Information System Department. However, cybercriminals do not share the same viewpoint as is in many organizations. They often become creative by looking at the loopholes in the system or data management. The extensions in the Enterprise System for Organix, for instance, maybe a loophole for cyber-attacks. This is because the extensors are not only weak but it is not also well integrated with the Enterprise System. Cybercriminals are likely to think creatively and identify the various weak points in the IT systems of the company and hack it.
…. Says that even those seemingly mundane lapses in policy and judgment may have great consequences. Oversharing of social media may reveal vital personal information that may be used by other actors. Organix has been using social media influencers to promote the product widely through social media platforms. The company also plans to expand social media participation in thi9s year and next year. Concerning the provision of web-related infrastructure, the company has been collaborating with two companies that include a web developing company and Webhosting company. The companies do not only develop and host the website of Organix but also captures data and manages gateway for payment s by customers. This act of oversharing the data and information with third party networks risks the company from breach of customers’ data and also cyber-attacks. In this regard, the risk assessment plan is important in identifying all likely cyber threats both external and internal, and thereafter develop an integrated system that provides great security to the organization’s data and information.
Cybersecurity should be at the top of any board room meetings since it is well understood that cyber stakes may never be higher. The strategic and innovations advances that Organix makes would continue to raise stakes higher. Cyber threats may not be a problem that may be solved and cybersecurity may not be eradicated but may be managed and facilitate the success of Organix’s drive forward. Decisions about cyber risk appetite must always be made and communicated throughout all the departments. It is critical that the culture of the organization and how risks can be made to be elaborated. Having a common risk management language and taxonomy is imperative for the organization to comprehend the cyber risk in the context of its overall goals and objectives.
The human Resource use of a cloud-based system that contains personal information of the employees such as social security numbers, medical claims, home addresses, and biodata among other sensitive information can be a vector for the cybersecurity failures. Human resource management is focused on introducing having human resource departments go cloud while ignoring the risks of having partner networks and third parties that will routinely have access to the systems which may lead to a breach of information of the employees. Given that there are various myriad sources of cyber risk with each event having different levels of potential impact, prioritization is very important. However, determining where and how to allocate financial, human, and technology resources is a complicated calculus.
A major step in manage g risk appetite for any organization is through identifying and classifying the systems, databases, and information. Though it may be counter-intuitive in prioritizing the internal systems as the main area of focus it is still important to prioritize what would cause the most damage if the risk is not managed appropriately. If the focus of the organization is what is the customer or public-facing, then the critical systems and important information of the organization is being overlooked. Becoming resilient to any cyberattacks is the most important aspect for any business and requires more than the incremental improvements. It demands the transformation of the organization that will broaden the scope of involvement at6 the organizational management and still, at the same time focus on the business risk rather than technology controls. More so, it requires more investments in mitigating the likely outcomes based on a broad understanding of the motives of the attacker and the ability to anticipate high effect scenarios.
Risk appetite is the level of tolerance that an organization has for risk. One aspect in defining risk appetite in an organization is the ability to understand how much risk an organization is likely to tolerate and how much an organization likely to spend in investing and manage g the risk. Risk appetite provides boundaries for making priorities in which the risks need to be treated. Risk appetite should be set by the CISO, CEO, and CRO and then should be shared with everyone in the organization. Calculating the cyber risk through an assessment using various defined or proven quantitative and qualitative metrics risk factors is important to the organization in determining how much risk they are likely to accept to gain certain business objectives and goals. Determining the risk appetite for Organix should not be point-in-time exercise. It should become an ongoing process that involves constant evaluation as well as reevaluation. Though it may seem that setting cyber risk appetite is technical, there is more about this. There should be conversations that include technical functions. Cyber risk appetite tends to tie both cyber risk, operational risk, and enterprise risk in a cross-functional conversation. This conversation should be about the risk that a company is willing to take on and what controls it puts in place to prioritize the management of risks. Setting this appetite is important in managing the business effectively while enabling the organization to knows where to invest resources as well as time.
The ability of the organization to quantify the risk and make an informed decision about the cyber risk appetite would be the difference between failure and risk for Organix. If Organix can do so effectively, it would be able to position itself and experience continued growth as it has been experiencing.
Conclusion
The risk appetite should be able to involve measurability at the bottom while supporting a tailored platform that reflects the unique profile of the organization for attack surfaces as well as atr5activeness. It must take a forward-looking view of risks as the changes in landscapes takes effects. It should also be able to offer actionable insights that will be able to support decision making and mitigation of the risks. As argued a good risk appetite policy must be made available to all the departments in Organix and ensure that all departments follow due process whenever acquiring a new system or whenever sharing data with other third parties. Even when data is shared with another third party as it the case of web hosting and web developing it is critical to put in place safety measures that ensure that