KuppingerCole Report
Whitepaper
By Matthias Reinwarth

Moving towards a holistic Cyber Risk Governance approach

The ongoing task of maintaining cyber security and risk governance, while providing evidence and communicating efficiently with corporate stakeholders is getting increasingly more important for practically every organization. Understanding the risk posture and providing transparency while aligning cyber security efforts with corporate strategies is a major challenge. The current lack of standards and overarching strategic concepts needs to be overcome by establishing a sustainable, holistic Cyber Risk Governance framework.

1 Executive Summary

More and more organisations understand that Cyber Risk Governance is a challenge that needs to be addressed on a management level. Cyber security and ...

Login Free 30-day Select Access Get full Access

2 Highlight

  • Organisations need to get to a full picture of their risk posture.
  • Cyber Risk Governance needs to be understood as a critical business management ...
Login Free 30-day Select Access Get full Access

3 Cyber security and cyber governance today

Security threats as well as requirements from compliance and governance have resulted in various tactical efforts for improving individual aspects of ...

Login Free 30-day Select Access Get full Access

3.1 Rising cyber security threats

The detection and prevention of cyber Security threats along with adequate responses to them are among the most important activities. With the emergen ...

Login Free 30-day Select Access Get full Access

3.2 Growing legal and regulatory requirements

Companies in the financial services sector were among the first that had to comply with various national, international and sector-specific standards ...

Login Free 30-day Select Access Get full Access

3.3 The organizational reality: Security and governance siloes

The reality in almost any organization reflects the way organizations have developed and grown in the past: many efforts are driven by immediate requirements and actual, imminent threats.

Isolated, tactical efforts for compliance and cyber security have tessellated the Digital security risk management landscape in many organisations.

Although we are talking about only a few years, historically different operations teams, IT security teams and cyber governance teams are usually focusing on individual solutions and products, solving individual problems. This typically happens without an adequate integration into a corporate security strategy or a consolidated approach towards communication, the mutual management of risks, the correlation of results, the overall IT security maturity, or the overall risk posture of an organisation.

A cross system security concept usually ends with the implementation of a SIEM-solution typically consuming all log data that is collected and consequentially being doomed to fail due to a lack of focus compared to the vast amount of data available.

3.4 The vendor perspective

The silo approach, as described in the previous subsection, is a phenomenon that can be rediscovered quite easily also in the product area. Strong an ...

Login Free 30-day Select Access Get full Access

3.5 The state of Cyber Risk Governance

Many organisations will agree that there is room for improvement when it comes to cyber security and cyber risk governance. There are many isolated ef ...

Login Free 30-day Select Access Get full Access

4 Principles of a mature Cyber Risk Governance approach

Well defined and executed Cyber Risk Governance involves and informs all stakeholders. It enables an organisation to effectively oversee and assess cy ...

Login Free 30-day Select Access Get full Access

4.1 Digital Security Risk Management for Economic and Social Prosperity

The OECD (“Organisation for Economic Co-operation and Development”), published “Digital Security Risk Management for Economic and Social Prosperity”, ...

Figure 1: OECD Principles of a robust cyber risk management framework

The described principles appear to be very high-level in the first place, but they form the foundation for a consistent and holistic process framework ...

Login Free 30-day Select Access Get full Access

4.2 NIST Cybersecurity Framework

Organisations looking into designing a more practical and actionable strategy towards a comprehensive and holistic cyber risk governance approach, mig ...

The two documents do not necessarily need to be considered as alternatives, but can also be deployed either in parallel or in the order of their menti ...

Login Free 30-day Select Access Get full Access

5 From concept to infrastructure: Cyber Risk Governance platform requirements

Mature Cyber Risk Governance needs to be built upon a strong strategic concept but also requires powerful and flexible tool support. Interoperability, ...

Login Free 30-day Select Access Get full Access

6 Building a Holistic Cyber Risk Governance foundation with TechDemocracy Intellicta

TechDemocracy Intellicta implements Cyber Risk, Security & Governance Assurance thought leadership as a process framework, a product platform, and opt ...

Login Free 30-day Select Access Get full Access

6.1 Framework and platform for the governance fundamentals

TechDemocracy defines a technological platform for the implementation of a comprehensive and holistic Cyber Risk Governance solution. A major building ...

Each segment within this matrix can then be used to identify the individual services related to the given Service category and object of interest. As ...

Login Free 30-day Select Access Get full Access

6.2 Key Concepts

As required in Section 5, the platform covers a variety of regulatory requirements and security standards and is thus able to provide status informati ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top