Skip to main content
Blog Post

Getting serious about defending against cyber threats

Cyber Risk Management

By Fredrik Motzfeldt | December 12, 2019

To transform your cyber security, you must apply solid risk management principles to IT and the human element.

Technical solutions are often relied on as the primary line of cyber risk defenses for today’s organizations, including technology, media and telecommunications (TMT) companies. But what do you do when technical defenses fail to keep up with the rapidly changing and increasingly complex cyber war against your business and customers? Or when the best, state-of-the-art, cybersecurity technology is compromised by human error?

Technical solutions are clearly vital. But they are hardly adequate as the primary or sole tool when organizations become more complex and technology-dependent — and when most successful cyber breaches are found to involve the human element. It is also my opinion that cybersecurity maturity is less than what many companies actually believe. In this environment, building a cybersecurity organization around strong risk management, a consistent approach and people awareness should therefore be seen as a key part of an enterprise wide cyber strategy.

Essential elements of an enterprise-wide cyber strategy

This strategy should include:

  • The design of or transformation to an effective, enterprise-wide cybersecurity organization
  • Formation of a strong, constantly evolving cyber risk culture starting with the C-suite
  • Continuous assessment of cyber risks, workforce cyber savviness and organizational security defenses
  • A risk management approach to asset protection based on a strong ROI focus and awareness

The stakes for inadequate cyber defenses are large and growing. In a recent survey conducted by the Economist Intelligence Unit (EIU), a third of more than 450 executives reported a serious cyber-incident — defined as one that disrupted operations, impaired financials and damaged reputations. The EIU study, sponsored by Willis Towers Watson, also found that most respondents expected another serious incident within a year.

Link between good cybersecurity and business growth

Many recent breaches have demonstrated that good cybersecurity and cyber awareness is increasingly related to ensuring business success and continuity (growth and profitability). Examples of where organizational structures and practices have been closely scrutinized and transformed following an economically costly cyber incident includes TalkTalk, Norsk Hydro and Equifax, just to mention a few of the examples that are in the public domain.

Cyber risk is difficult to mitigate effectively because it intersects with the overlapping risks that surround your business, including other technology risks, people risks, regulatory risks, political risks and environmental risks. It requires a comprehensive response that identifies and mitigates risk while building organizational resilience and protecting your customers and business partners.

Regulatory compliance is a first step

In this context, having effective technical defenses and meeting established guidelines (such as ISO/ISE 27001) for information security management should be seen as merely the first step in a larger risk-based enterprise approach. Fully fledged cyber risk mitigation should be integrated with your company’s broader risk management activities and include the development of a cybersecurity culture in which employees become more actively engaged in providing your cyber defenses.

Willis Towers Watson and others have found that cyber risk vulnerability is most often linked to a company’s workforce (e.g. the human element). Nearly nine out of 10 organizations have pointed to untrained or negligent staff as the greatest cyber risk to their business — a significantly greater risk than cyber criminals or hackers.

Despite the concern about staff shortcomings and lack of awareness, the EIU found that fewer than half of the senior executives surveyed had implemented basic cyber-related human resource policies, such as: 

  • Ongoing security awareness training
  • Identification of at-risk employees
  • Internal communications after a security incident

The absence of such policies suggests that many companies lack a culture of cyber awareness and a low cyber resilience in my opinion.  

Managing the people side of cyber risk

Raising employee awareness and engagement in your cybersecurity efforts takes nothing less than a complete cybersecurity organizational rethink and transformation that must be designed to foster a more cyber savvy workforce, beginning in the C-suite. It should include efforts to improve employee engagement, talent management and reward strategies. This requires organizations to take such steps as:

  • Assessing their cyber organizational structure
  • Prioritizing personalized training
  • Rethinking your skills acquisition strategy

This employee focus is a vital part of an effective cybersecurity organization. But building a strong and constantly evolving cyber risk culture, matched with best-in-class cybersecurity risk management, can yield important benefits in three areas:

Strategic: A comprehensive cyber strategy will heighten sensitivity to potential risk exposure across the entire organization. It will, among other things, reduce destructive employee behavior and engage your colleagues in efforts to develop air-tight cyber defenses. Ultimately a better security posture will raise the confidence of customers and business partners as well as investors and shareholders.

Financial: By prioritizing and protecting identified-as-critical assets first, an effective cyber risk management framework will yield financial benefits in the form of a better return on investment. We define “effective” cyber risk management as including: 

  • Adequate security protection mechanisms
  • Compliance with data protection regulation
  • Appropriate information security policy
  • Appropriate controls and processes
  • A clear people policy for cyber and technology
  • Efficient risk hedging, including self-insurance and cyber insurance policies

Operational: It is critical to protect key information assets. The right cybersecurity, compliance and risk management culture combined with the right set of technologies will enable organizations to reap the natural operational benefits that come with it, such as more robust and cost-efficient processes and policies, including client-related services.

The TMT sector is highly attuned to cyber risks but might be missing significant business benefits by an over-reliance on purely technical solutions or some sort of “tick-the-box” ISO approach to cyber security. Cyber risk requires a comprehensive response that includes people, technology and capital risk considerations to mitigate risk while building enterprise resiliency. 

As cyber risks continue to grow and mutate, transforming your approach to security by applying solid risk management principles around IT and cybersecurity will help your organization achieve a forward-looking cybersecurity approach based on a comprehensive risk management strategy that will provide clearer ROI in what will be an increasingly expensive requirement. Today’s cyber risk is complex and multi-dimensional, and the solutions implemented should be, too.


Fredrik Motzfeldt
U.K. Leader of Global Technology, Media & Telecoms Industry Group

Related Capabilities

Contact Us