At a time when the cyber threat landscape is complex and continuously changing, the relationship between the board and a CISO (or equivalent) is becoming more important than ever. However, sometimes, obtaining data to manage risks and getting the board to understand cyber risks can be challenging.
Our data-driven Cyber Risk Reporting Platform, running on Microsoft Power BI, can help you close the gap between cyber risks and the business. Our solution will help you understand:
How well you are managing cyber risks
How well you are covering your attack surface
How effective your controls are
How well you are managing the implementation of security projects and tracking their impact on risk appetite
To which extent your cyber maturity strategy can become a reality
Measuring and reporting on cyber risk is not easy.
Many organisations struggle to answer the following key questions:
The cyber threat landscape is complex and continuously changing – risk reporting based solely on cyber security controls compliance is no longer enough. Reports need to be data-driven focusing on threat and risk to show incremental improvements and value from investments.
According to a recent PwC global survey, more than half (55%) of business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks. Effective cyber risk reporting helps give key stakeholders – such as the board or regulators – a level of assurance that the right decisions are being made. Locally, our experience tells us that one of the biggest challenges is to effectively communicate cyber risks to the Board in a manner that is well understood and can allow for effective strategic decision making.
The challenge is that most organisations struggle to answer fundamental questions, such as what needs to be secured, what cyber risk data to measure, and the likely impact of a security incident. As a result, they are failing to get a return on their cyber security spend. Furthermore, boards increasingly acknowledge that cyber risks are impacting other areas of their organisation. For example, the strategic push for digital transformation might introduce several new cyber risks with the potential of sensitive information disclosure or even disrupting your business operations.
These initiatives are closely linked to cyber threats that need to be appropriately addressed. By effectively managing cyber risks and their impact on other areas, you can better demonstrate how your cyber security spend helps to mitigate emerging threats and supports your strategic goals.
Challenges with communicating with the C-suite and the Board
Depending on the organisation, CISOs (or equivalent) can often be too busy with fire fighting incidents to take a step back and address the wider picture. Executive reports often focus on what can be reported rather than what should be reported, which can result in a misunderstanding of true cyber risk exposure. Moreover, ever increasing regulatory requirements, such as the Digital Operations Resilience Act (DORA) highlight the onus on those charged with governance to exercise effective leadership and alignment of cyber security initiatives with overall business objectives.
Existing risk processes and tooling can also be a limiting factor and may need some improvement to manage and report effectively on cyber risk. For example, many existing Governance, Risk and Compliance (GRC) tools are not customisable enough to report to the C-suite on the relationship between a risk, a threat and a control.
The cyber risk reporting journey: a focus on pragmatism
Understanding where you are in your cyber risk reporting journey is essential. Some key building blocks, such as building a strong cyber risk library of risks mapped to threats, key capabilities and metrics, need to be in place before you can effectively report to senior management and your board.
Organisations that embark on a cyber risk management journey should start by understanding their level of maturity and establishing their key building blocks – including identifying and setting up the inter-relationships between risks, threat scenarios, key controls and metrics. Effort should then be spent on creating a dynamic dashboard visualising these building blocks and implementing a pragmatic approach for risk and control measurement.
Spotlight on PwC’s Cyber Risk Reporting Platform (CRRP)
Easily engage the Board and any stakeholders
With our solution, you can now create dynamic dashboards linking risk alerts to the underlying data including threats, attack surface, capabilities and metrics to robustly support the messaging to the Board.
You will also take advantage of quick wins as our Cyber Risk Reporting Platform can enable a pragmatic prioritisation of cyber investments. The latter is possible thanks to a tailored linking between cyber security projects and the key building blocks mentioned above.
Turnkey solution
The Cyber Risk Reporting Platform is a ready to start solution that only requires a mapping of your current risk management inputs to our data model. You can even take advantage of PwC’s risk and threats catalogue or, if you desire, build your own.
Tool based on good practice and PwC experience
The Cyber Risk Reporting Platform integrates a variety of renowned industry frameworks, including:
MITRE ATT&CK framework to map threat capability, frequency, and scenarios to capabilities
Cyber Capabilities based on PwC’s Cyber Security Framework (built upon NIST, CIS, and other cyber frameworks)
Risk Calculations are aligned to FAIR and IRAM2
Construct custom tailor compliance mappings to PCI, ISO 27001, GDPR, MFSA ICT guidelines, CCPA, and NIST CSF
Pragmatic, easy to integrate and low cost of entry
Pragmatism is key to ensuring dashboards do not become “shelfware”, but instead are practical and sustainable. Key aspects to pragmatism include:
Moving away from reporting on every metric and control, and focusing just on the key ones.
Leveraging point-in-time maturity assessment data where operational data is not currently available.
Building a pragmatic risk model which enables automation and real-time updates, and which is flexible enough to evolve over time.
Tailor-made solution
Take advantage of the backing and support of PwC to customise our tool to your specific needs by:
Revamping your risk assessment and treatment processes
Integrating our solution to your cybersecurity strategy
Integrating your controls strategy to any relevant compliance requirement (e.g., PCI, ISO 27001, GDPR, MFSA ICT guidelines, CCPA, or NIST CSF)
Orienting your maturity journey via risk-based strategy, improvements and assessments
Tool adapted to your organisation maturity journey
Our platform acts as an accelerator to your maturity journey. Whether you are just starting to manage cyber risks or you already have a cyber risk governance framework in place, our solution will help you optimise cyber risk management and achieve your envisaged maturity level.
How it works
Out of the box, our Cyber Risk Reporting Platform (CRRP) enables you to address five (5) topical questions:
- Risk appetite
- Attack surface
- Risk posture
- Threat exposure
- Programme benefits
Risk appetite
How well are we managing our cyber risks?
Create an executive overview risk posture dashboard aligned to the way your other enterprise risks are reported to the Board. Enable comparability and speak the same language of the Board.
Attack surface
How well are we covering our attack surface?
Monitor key attack surface metrics and show how the attack surface is growing and how effective you are at securing it.
Risk posture
How well are we securing ourselves?
Create a mapping between Risks, Threats, and Key Capabilities that is dynamic and interactive, allowing you to drill down and focus on what is really important. Be able to be pragmatic.
Threat exposure
How real are the threats we face?
Drill down into threats that you face to understand the types of threat actors and the tactics that they deploy by leveraging information that Threat Intelligence has gathered.
Programme benefits
How well are we managing the implementation of security projects and tracking their impact on our risk appetite and thresholds?
Link your cyber investment portfolio to the key capabilities, helping you show actionable response in line with risk appetite to the Board. Obtain more visibility on your Return On Investment (ROI) from strategic cyber projects.
Request a free demo
Optimise your cyber risk maturity through our Cyber Risk Reporting Platform (CRRP)
Contact us
Follow us
