Regardless of portfolio size, the number of risks that accumulate across individual organisations and the portfolio as a whole can become overwhelming. So, how do you manage it?
Complexity is everywhere
Managing the risks becomes more complex if your portfolio spans multiple industries. We can often associate certain risks with similar sectors.
Take a portfolio of financial companies, for example. A risk-based approach tells us we should focus on:
- Personal data each company holds
- Whether they know where data is stored and how it’s classified
- Whether they have data loss prevention solutions to block data exfiltration
Even similar companies have differences. Where a company operates may change regulatory requirements for cyber security and personal information protection. Company size also matters—one firm may hold millions of personal records while a smaller company holds only several thousand.
The challenge becomes even more significant when analysing risks across diverse industries.
Cyber security starts from the top
The key is to have oversight of your whole portfolio. It doesn’t need to be a deep dive into the cyber security of each company. So how can you track, manage, and review those risks?
Start with a light-touch assessment to understand what each company is doing and to what extent.
Don’t focus solely on operational aspects. Yes, a bottom-up approach will tell you which controls they have in place or may need. However, that’s just one part of a broader cyber security posture. If they have the majority of basic controls in place, but don’t know where their risk lies, then how can they be so certain they have the right things in place to reduce their risk exposure?
Cyber security starts from the top. And so, you need oversight on the ways in which the company strategy approaches cyber security, their governance overseeing it, how they manage risk, the controls they use and how they manage their supply chain.
We use our cyber scorecards to provide a top down assessment of cyber posture. This allows us to assess and benchmark an organisation’s effectiveness of long-term cyber governance and the ability to respond to short-term issues.
Once you have a consolidated view, you can begin to assess where the risks lie within the portfolio.
This shouldn’t be just a one-off review
Changes happen regularly. A change in personnel or newly acquired businesses may change the approach to cyber security for example. Therefore, your year-on-year cyber security overview of the portfolio may shift.
Seeing the trends helps you establish where risk may be most concerning. This will help you integrate risk management into your portfolio’s value-creation activities.
Photo by 1981 Digital on Unsplash
Nicolas Aristegui
Penny Yap
