KuppingerCole Report
By Matthias Reinwarth

Moving towards a holistic Cyber Risk Governance approach

The ongoing task of maintaining cyber security and risk governance, while providing evidence and communicating efficiently with corporate stakeholders is getting increasingly more important for practically every organization. Understanding the risk posture and providing transparency while aligning cyber security efforts with corporate strategies is a major challenge. The current lack of standards and overarching strategic concepts needs to be overcome by establishing a sustainable, holistic Cyber Risk Governance framework.

Commissioned by TechDemocracy

1 Executive Summary

More and more organisations understand that Cyber Risk Governance is a challenge that needs to be addressed on a management level. Cyber security and regulatory compliance are strong drivers for rethinking and redesigning a mature approach towards cyber resilience. But Cyber Risk Governance is not only reactive and defensive. Every organisation is unique in its business strategy and so are security and cyber risk requirements. A proper strategy for an effective Cyber Risk Governance is a key challenge for many organisations and will be even more so in the future.

The identification, execution and communication of adequate, consistent and sustainable decisions require an in-depth insight into the overall security posture. Beyond achieving an adequate level of security, while maintaining governance and providing evidence of that, Cyber Risk Governance needs to be understood as a business differentiator and a strategic management instrument. A standard way of defining, measuring and communicating cyber risk is a must to achieve adequate communication towards all relevant stakeholders.

This paper identifies existing shortcomings of many organisations’ Cyber Risk Governance organisations and outlines concepts for a well organised approach towards achieving a holistic system for managing risks, threats and investments. The paper will further show how TechDemocracy’s Cyber Risk Governance platform Intellicta can help businesses, as well as all organisations in general, to implement an efficient, cost-effective and adequate cyber risk governance framework for their organisation.

2 Highlight

  • Organisations need to get to a full picture of their risk posture.
  • Cyber Risk Governance needs to be understood as a critical business management ...
Login Get full Access

3 Cyber security and cyber governance today

Security threats as well as requirements from compliance and governance have resulted in various tactical efforts for improving individual aspects of ...

Login Get full Access

3.1 Rising cyber security threats

The detection and prevention of cyber Security threats along with adequate responses to them are among the most important activities. With the emergen ...

Login Get full Access

3.2 Growing legal and regulatory requirements

Companies in the financial services sector were among the first that had to comply with various national, international and sector-specific standards ...

Login Get full Access

3.3 The organizational reality: Security and governance siloes

The reality in almost any organization reflects the way organizations have developed and grown in the past: many efforts are driven by immediate requirements and actual, imminent threats.

Isolated, tactical efforts for compliance and cyber security have tessellated the Digital security risk management landscape in many organisations.

Although we are talking about only a few years, historically different operations teams, IT security teams and cyber governance teams are usually focusing on individual solutions and products, solving individual problems. This typically happens without an adequate integration into a corporate security strategy or a consolidated approach towards communication, the mutual management of risks, the correlation of results, the overall IT security maturity, or the overall risk posture of an organisation.

A cross system security concept usually ends with the implementation of a SIEM-solution typically consuming all log data that is collected and consequentially being doomed to fail due to a lack of focus compared to the vast amount of data available.

3.4 The vendor perspective

The silo approach, as described in the previous subsection, is a phenomenon that can be rediscovered quite easily also in the product area. Strong an ...

Login Get full Access

3.5 The state of Cyber Risk Governance

Many organisations will agree that there is room for improvement when it comes to cyber security and cyber risk governance. There are many isolated ef ...

Login Get full Access

4 Principles of a mature Cyber Risk Governance approach

Well defined and executed Cyber Risk Governance involves and informs all stakeholders. It enables an organisation to effectively oversee and assess cy ...

Login Get full Access

4.1 Digital Security Risk Management for Economic and Social Prosperity

The OECD (“Organisation for Economic Co-operation and Development”), published “Digital Security Risk Management for Economic and Social Prosperity”, ...

Figure 1: OECD Principles of a robust cyber risk management framework

The described principles appear to be very high-level in the first place, but they form the foundation for a consistent and holistic process framework ...

Login Get full Access

4.2 NIST Cybersecurity Framework

Organisations looking into designing a more practical and actionable strategy towards a comprehensive and holistic cyber risk governance approach, mig ...

The two documents do not necessarily need to be considered as alternatives, but can also be deployed either in parallel or in the order of their menti ...

Login Get full Access

5 From concept to infrastructure: Cyber Risk Governance platform requirements

Mature Cyber Risk Governance needs to be built upon a strong strategic concept but also requires powerful and flexible tool support. Interoperability, ...

Login Get full Access

6 Building a Holistic Cyber Risk Governance foundation with TechDemocracy Intellicta

TechDemocracy Intellicta implements Cyber Risk, Security & Governance Assurance thought leadership as a process framework, a product platform, and opt ...

Login Get full Access

6.1 Framework and platform for the governance fundamentals

TechDemocracy defines a technological platform for the implementation of a comprehensive and holistic Cyber Risk Governance solution. A major building ...

Each segment within this matrix can then be used to identify the individual services related to the given Service category and object of interest. As ...

Login Get full Access

6.2 Key Concepts

As required in Section 5, the platform covers a variety of regulatory requirements and security standards and is thus able to provide status informati ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.