Regardless of portfolio size, the number of risks that accumulate across individual organisations and the portfolio as a whole can become overwhelming. So, how do you manage it?
Complexity is everywhere
Managing the risks becomes more complex if your portfolio is spread across multiple industries. We often can associate certain risks to similar sectors.
Take, for example, a portfolio of financial companies. To start, a risk-based approach could tell us we should be most concerned about the personal data each company holds. At a portfolio stance, we’d want companies to ensure they have the right level of controls in place to therefore protect the personal data held. For instance, do they know where their data is stored and how it’s classified? Do they have a data loss prevention solution that will block data exfiltration?
But again, even though it may seem less complex, there still might be differences. For example where a company operates may change how cyber security and personal information should be protected from a regulatory perspective. Or, varying company size may mean that one company may hold millions of personal data, compared to a smaller company that only holds several thousand.
The challenge becomes even more significant when analysing risks across diverse industries.
Cyber security starts from the top
The key is to have oversight of your whole portfolio. It doesn’t need to be a deep dive into the cyber security of each company. So how can you track, manage, and review those risks?
Start with a light-touch assessment to understand what each company is doing and to what extent.
The focus doesn’t need to be solely on the operational aspects of cyber security either. Yes, a bottom-up approach will tell you which controls they have in place or may need. However, that’s just one part of a broader cyber security posture. If they have the majority of basic controls in place, but don’t know where their risk lies, then how can they be so certain they have the right things in place to reduce their risk exposure?
Cyber security starts from the top. And so, you need oversight on the ways in which the company strategy approaches cyber security, their governance overseeing it, how they manage risk, the controls they use and how they manage their supply chain.
We use our cyber scorecards to provide a top down assessment of cyber posture. This allows us to assess and benchmark an organisation’s effectiveness of long-term cyber governance and the ability to respond to short-term issues.
Once you have a consolidated view, you can begin to assess where the risks lie within the portfolio.
This shouldn’t be just a one-off review
Changes regularly happen. A change in personnel or newly acquired businesses may change the approach to cyber security for example. Therefore, your year-on-year cyber security overview of the portfolio may shift.
By seeing the trends it helps you to establish where risk may be most concerning. This will help you integrate risk management into your portfolio’s value-creation activities.
Photo by 1981 Digital on Unsplash
Penny Yap
Nicolas Aristegui
Niall McElroy
Andrei Draghiciu