Back to Basic: Understanding The Crucial Difference Between Cyber Risk and Cyber Security

As the CEO at Cybercraft, I've noticed a recurring theme in our interactions with organisations across Australia & New Zealand: the conflation of cyber risk and cyber security. Despite having constant workshops and fact sheets around what the difference is, the amount of times I get told we are working on cyber security with our IT provider instead of how we are working to understand our cyber risk. Remote working and the evolution of AI means it demands a clear understanding of these two distinct, yet inter related discussion to ensure the resilience and sustainability of our businesses.

Let’s use the home security analogy from a home owners perspective. Think of cyber security as the locks on your doors - the mechanisms that keep the burglars out. It involves implementing protective measures, such as firewalls, encryption, and antivirus software, to defend our electronic systems, networks, and data from cyber threats. In essence, it is the operational & control side of managing your business.

On the other hand, cyber risk management can be likened to understanding what is considered important to you. Like your kids, pets, family heirlooms. Now how well are these protected? It is a strategy that identifies potential threats to your home (in this case, your organisation), assesses the degree of damage they could cause, and decides on the best approach to mitigate them. It involves looking at the bigger picture more from a holistic point of view, anticipating what could go wrong, and planning accordingly.

Amongst the conversation I have had, today I had 3 different times where IT and cyber security was used when I asked about cyber risk management. Today this occurred when a supplier asked us to send sensitive identification documents via email. Responding to our concerns about the security of email transmissions, they suggested alternatives such as using Dropbox or meeting in person, approaches that lean more toward cyber security controls.

However, the focus on cyber security can sometimes obscure the larger context of cyber risk. In the given example, a comprehensive cyber risk management strategy would first identify email transmission of sensitive data as a risk, then assess its potential impact (such as a data breach), and finally develop an appropriate response strategy (like secure file transfer methods or in-person verification).

This narrative that conflates cyber risk and cyber security needs to change. While robust cyber security measures are undoubtedly essential, they are but one piece of the puzzle. In the grand scheme of things, understanding and effectively managing cyber risks is what will keep us ahead of the curve.

Why is this crucial? Because focusing solely on cyber security is like continually upgrading your door locks without considering other vulnerabilities in your home or assessing the potential threats in your neighborhood. A comprehensive cyber risk management strategy gives us a 360-degree view of our vulnerabilities and provides us with the tools to address them effectively.

In the landscape, where risks evolve as swiftly as businesses are becoming agile and innovation emerges, understanding the difference between cyber risk and cyber security is not just a necessity—it's crucial for business resilience. It's about transitioning from a reactive approach that addresses issues as they arise to a proactive approach that anticipates and mitigates risks.

To my executives who are listening, I urge you to initiate conversations about cyber risk management within your organisations. Encourage your teams to view cyber security as an integral part of a larger strategy rather than an isolated function. In doing so, we are not just safeguarding our individual organisations but contributing to a more secure and resilient business ecosystem. Together, let's shape the narrative and redefine our approach to cyber risk and cyber security.