Although IT-Grundschutz catalogues allow a quick entry into cybersecurity, they neither offer effective protection of one's own assets nor are they sustainably scalable.
Such checklists can be simply ticked off and completed – just like annoying compliance restrictions. However, your organization is “not a bit” safer – and still a lot of money has to be spent on it.
Why a risk-based approach is the much better choice.
If your company has neglected cybersecurity in the past, it doesn't hurt to start somewhere. ~~~ The BSI-Grundschutz-Katalog~~ The BSI-Grundschutz Compendium1, for example, describes numerous useful measures with which you can get started. You can also find other catalogs, such as the NIST Cybersecurity Framework2, which distinguishes 20 protection areas.
You could – at least theoretically – mature organizationally and become “old” by following these suggestions and further developing and continuously strengthening each of these measures. This will not only cost you much more money and effort than necessary – you will also end up unhappy.
Why this is so, you will learn in this article.
Cybersecurity is currently a major topic in the face of numerous threats and spectacular hacks, which accordingly calls for a great deal of attention and rightly solicits investments in defence 3.
However, these measures – like all business measures and decisions – should be in a reasonable proportion to the risks. Like all other risks, cyber risks must therefore be identified with appropriate care and handled appropriately.
If you only implement standard measures according to basic protection catalogues, you have no guarantee that exactly your assets, processes and projects are adequately protected. Since every organization offers an individual attack profile, malicious attackers are also happy if they only come across a standardized protection concept that leaves the relevant areas of attack open in individual cases.
Not only occasional hackers, insider tips, but also highly professional organized crime and state troops threaten business activities worldwide. You should therefore lose no time and take targeted risk-indicating measures.
Standardized maturity models – and their limitations
Individual measures and actions like penetration tests, security officers, firewalls, 2-factor authentication, password policies are always helpful and useful. However, they cannot be scaled and elastically adapted to your specific requirements.
On the contrary: the larger the company, the more difficult it is to raise the maturity level of IT measures in a uniform manner. It's as if you wanted to water all your “security plants” better all at once: you need considerably more water, the watering can is getting heavier and heavier, you can hardly keep up.
Since it is a matter of taming business risks, economic criteria in combination with technical expertise should be decisive: Tackling major cyber risks will cost more money than tackling manageable ones, just as seizing major opportunities makes more investments available.
Advantages of the risk-based approach
Not only a too low quality level, but also an excessive quality level, which neither reduces production costs nor increases customer satisfaction, costs money unnecessarily. In exactly the same way, a tyre-based safety concept costs money unnecessarily without providing more safety.
A risk-based approach, on the other hand, makes it possible to adjust and reduce security investments in a targeted manner. In addition, the integration of cyber risks into general risk management enables management to monitor risks uniformly throughout the company and to take appropriate countermeasures.
This potential streamlining of cyber security measures can lead to substantial savings for large companies while at the same time increasing security levels, according to McKinsey up to several million euros 4.
Implementation of the risk-based approach
The size of the risk depends on the vulnerability, the probability of occurrence and the impending impact. Ultimately, however, the risk always depends on the underlying asset to be protected. By no means does this refer only to material assets, quite the contrary: patents, processes, customer contacts and reputation are the actual assets.
Risk management according to ISO/IEC 27005 protects intangible assets
Accordingly, risk management according to ISO/IEC 27005 5 always starts from a list of all assets, ideal and material. On this basis, the vulnerability and the probability of occurrence are determined. In this way, targeted measures can be taken – or, vice versa, the risk can be consciously accepted.
As part of the overall risk management, cybersecurity risks can thus be dealt with adequately and efficiently. Finally, cyber risks – like all risks – should be visualized, communicated and continuously monitored.
Cyber risks, such as key performance indicators (KPIs), can be monitored and actively controlled with a key risk indicator (KRI).
A risk-based approach to cyber-risk management is not only smarter than simply implementing basic protection measures according to checklists, it is also more effective and potentially even cheaper.
If cyberrisk management is set up on a risk-based basis and integrated via uniform risk management, a company can exploit opportunities and avoid risks in a uniformly controlled manner.
Combined with open and transparent risk communication, cybersecurity thus becomes an integrated component of a digitally sovereign company that is ready to implement security by design in reality.
The Annual Report of the Cyber Security Panel 2020 (German) speaks of 104 billion euros in damage. ↩︎