Skip to content


Gaining a good grip on risks with COBIT 5

COBIT 5 (Image 6)Hard on the heels of Talk Talk are Vodafone and Marks & Spencer. Like Talk Talk, Vodafone can be classed as a ‘cyber security’ breach, whilst Marks & Spencer is a more traditional, technical error that just so happened to affect its website, demonstrating how closely intertwined the new, cyber risks are with the old. (For Vodafone, look at SC Magazine and Tech Week Europe. For Marks & Spencer, look at The Mirror.)

Risk management has become more complex. Its scope includes threats as well as the traditional risks, and its impacts are transparently obvious. Boundaries between internal and external risks have merged: ‘business-as-usual’ is having to merge with ‘business continuity’ to meet the demand for 24/7 business availability. Welcome to the new world of business resilience. And to COBIT 5.

The framework helps join the dots between risks and threats. As a result, it helps identify immediate responses and relevant remedial actions to minimise impacts.

COBIT 5 encourages a common risk language. Here are some of mine:

  • ATTACK SURFACE: whilst a term mainly used to describe technology that can be targeted by external threats, is actually much broader. Include such things as internal ‘Chinese Walls’ and ‘straight-through-processing’. Consider every member of staff. All can be attacked.
  • BUSINESS-AS-USUAL: the practices in place to achieve business objectives within a controlled environment commensurate with the risk tolerances of the organisation.
  • BUSINESS CONTINUITY: the practices applied to address the impacts of risks that have crystallised.
  • BUSINESS RESILIENCE: the level of capability available for keeping the business running under all circumstances.
  • IMPACT: how reputation, operations and financials are affected.
  • THREATS: negative events that will occur at any time and may have occurred without the Target being aware, so impact is unquantifiable in advance.
  • RISKS: identifiable events that might occur within an estimated time period, with some understanding of the impact. It is made up of a ‘cause’ that affects an ‘asset’ resulting in ‘consequences’. It need not be negative, as Risk equates to the opportunity arising from optimizing the benefit versus the cost of the risk. Successful risk management relies on firms knowing their risk appetite and tolerances, and implementing commensurate controls.
  • RISK APPETITE: the amount of risk that is desired. This will vary according to the business stream.
  • RISK TOLERANCE: the amount of risk that can be borne. Sometimes the tolerance will be near zero (e.g. payment settlement transactions), sometimes quite high (e.g. 5% error rate in raw data).

In reality, no firm can achieve 100% business resilience but COBIT 5, through its principles, can help firms prioritise investment that builds capability across their people, policies, processes and practices.

Here are four examples.

1. Looking at the whole of the enterprise (covered by Principle 2, covering the enterprise end-to-end).

You need to know where the Attack Surface is. COBIT 5 will help you define where this is and manage four key risk groups:

  • Gift to control: these are well-known and well established practices, and the firm’s risk tolerance will determine the level of control.
  • Halfway-house: the risks to outsourced services and operations. 3rd party services, such as data centres and cloud facilities, fall somewhere between the firm’s internal and external environments. You know you will be at risk but have no direct control.
  • Open-door access: this covers customers, clients, staff, support team, in fact anyone who is given access to items held on websites or within core systems.
  • Unsolicited attack: this covers denial of service and unauthorised infiltration from internal and external parties.

2. Understanding that the Hacker is also a stakeholder (covered by Principle 1, meeting stakeholder needs)

The Hacker is now a very important stakeholder. Unwelcome, maybe, but one nonetheless. Hackers have a significant stake in our organisations, whether as a spy, thief or fanatic, any of whom could be an insider. Controls need to disable this stakeholder category whilst enabling the rest. COBIT 5 helps boards make sure risks assessment and control budgets take Hackers into account.

3. Establishing risk appetite and tolerances (covered by Principle 4, enabling a holistic approach)

This has to be appropriate to each part of the business. The level of risk the firm accepts will depend on the quality of the underlying technology and data, the business sector, and the contract with the customer. Only when these factors are taken into account is it possible to create the appropriate control budget.

4. Integrated building blocks for business resilience (covered by Principle 3, covering the enterprise end-to-end)

The approach to business resilience is similar to that of business continuity management. Business continuity management focusses on the impacts rather than each cause. Business resilience focus on the vulnerabilities, not each threat. So:

  • Identify the vulnerabilities in your organisation. This is not just technology and data but also people and the processes and practices used.
  • See risk management, business continuity, crisis management and assurance as a part of business resilience. Each have a role to play. Risk management reveals the causes of what could go wrong.
  • Business continuity management enables us to address crystallized risks. Crisis management provides the necessary responses to fast burn events where time is of the essence. Assurance provides evidence of the level of business resilience.
  • Risk appetite and tolerances come into play here, too, as they will provide the framework for determining the level of investment and priorities to control the business environment.

ISACA members can find a good summary here.

COBIT 5 is worth the investment as it helps make sense of what is otherwise a worrisome and vast amount of threats. It helps firms retain focus on preventive controls whilst enabling it to refocus on detection and response controls, necessary for protecting the Attack Surface and providing business resilience.

Posted in COBIT 5, Cyber Security.