The risk of a data breach with significant financial consequences and damage to brand equity is the fear of most large publicly traded companies. But many smaller businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded and well-defined structures for their data stores. This means that every strategic marketing plan and every company’s overall security strategy should incorporate a data breach communication plan. And to articulate this, there needs to be an understanding of the risk profile of the organization.

In a large organization, risk, governance, and compliance professionals are frequently called upon to present relevant risk profile information in an engaging way. For smaller companies, this may mean bringing in third-party partners and sharing plans with them. The challenge is that the understanding or the threat landscape and the risk exposure/risk position of the company falls on two parts of the business.   The Board is responsible for the exposure and financial remediation of cyber risk, whereas the IT management is more operationally responsible for prioritization of actions and remedies.

Communication must involve two parties. One party needs to understand the financial and strategic implications, and the other the operational activities with the ability to drill down to understand resource allocation across the business.

Trends in risk profiling and communication of risk in the business

A risk profile is a summary that provides financial impact estimates for all the risks associated with a business unit or activity. Risk profiles are documented and visualized using different methods but are typically based on estimates for the probability and impact of a list of identified risks. There is a recent trend towards the use of dashboards to articulate (Read more...)