Cyber security and risk: A unified approach to resilience

Breaking down silos: Why cyber security and risk should work together. 

Many businesses across the Asia Pacific have an internal division between their risk management function and their cyber security function. And this is unfortunate because when risk and cyber security work together, the level of security maturity overall, and awareness of cyber security risks among Boards and senior executives seems to be greater.

As cyber threats grow more complex and persistent, organisations can no longer afford a fragmented approach to cyber defence. The integration of IT, cybersecurity, and risk management functions has become essential for building a resilient and adaptive security posture.

This article explores why collaboration between these key functions is critical, the challenges holding organisations back, and how a strategic security partnership model can drive meaningful change.

The evolving cyber security landscape

Cyber threats have evolved from isolated incidents to sophisticated, multi-vector attacks with the potential to disrupt entire enterprises. Ransomware, supply chain attacks, insider threats, and data breaches now target not just technical systems but also business operations, increasing the risk of loss of confidentiality and brand trust.

In this context, cybersecurity threats move beyond a technical issue to pose a serious business risk. As a result, managing cybersecurity effectively requires more than deploying firewalls and antivirus software. It demands collaboration between IT, cybersecurity, and risk management teams, each of which brings unique perspectives, expertise, and responsibilities to the table.

Understanding the roles: What is the difference between your IT, cyber security and risk functions?

To understand why these functions should work together, we must first explore why these are separate functions and the different roles each plays within an organisation.

IT (Information Technology) 

These teams build and maintain the digital infrastructure of an organisation - networks, endpoints, cloud services, and applications. They enable business operations through technology and are often the first responders when systems fail or are attacked.

Cyber security

These teams focus on protecting digital assets and information. They implement security tools, monitor for threats, respond to incidents, and ensure compliance with industry standards.

Risk management

These teams evaluate the broader organisational risks—financial, operational, regulatory, reputational—and align risk appetite with business goals. They help quantify the impact of potential threats and prioritise resources accordingly.

These functions intersect at multiple points. IT systems must be secure, security decisions must consider risk exposure, and risk strategies must reflect the digital realities of the organisation. Working in isolation, these teams can miss key insights or duplicate efforts, leading to blind spots and inefficiencies

The silo problem: Challenges in current models

Despite their shared objectives, many organisations operate in silos. This fragmented approach stems from differences in priorities, language, tools, and reporting structures.

• IT teams often focus on system performance, uptime, and user satisfaction.
• Security teams are concerned with threat mitigation, compliance, and incident response.
• Risk teams take a broader, strategic view, emphasising likelihood and impact across all business domains.

Without collaboration, critical risks can go unaddressed. For example, IT might deploy a new cloud solution without consulting security, leading to misconfigured access controls. Meanwhile, the risk team may not be aware of the deployment and fails to assess its impact on compliance.

This lack of alignment can result in:

• Duplicated efforts and wasted resources.
• Delayed incident responses.
• Inconsistent risk prioritisation.
• Security controls that are either too strict (hampering business) or too lax (exposing assets).

Integrating risk perspectives into cyber security

Integrating the risk management function into cybersecurity strategy helps shift the conversation from “How do we secure everything?” to “What’s most important to secure?”

This approach enables organisations to:

• Prioritise high-impact risks instead of reacting to every possible threat.
• Make informed trade-offs between security investments and business goals.
• Create a shared language for discussing cybersecurity in terms of business risk, which resonates better with executives and board members.

For instance, instead of viewing a phishing attack solely as a technical breach, risk managers help frame it as a potential threat to customer trust, financial integrity, or regulatory compliance.

Barriers to effective collaboration

Achieving this integration is easier said than done. Several challenges stand in the way:

• Technical complexity: Modern IT environments are sprawling and dynamic, making it hard for security and risk teams to keep up.
• Organisational silos: These functions often report to different leaders, operate with different KPIs, and use different tools—making alignment difficult. Implementing internal controls can aid in bridging these silos effectively.
• Cultural misalignment: Risk managers might be seen as gatekeepers, security as naysayers, and IT as speed-over-security operators. Overcoming these stereotypes takes effort and executive sponsorship.
• Tool incompatibility: Risk platforms, security dashboards, and IT management systems often don’t integrate seamlessly, limiting visibility and collaboration.

What does an integrated cyber risk management approach look like?

Aligning on cyber risk typically entails the following:

• Risk quantifies and documents the risks that may impact the organisation
• Cyber security risks are then discussed and agreed to with the cyber security division
• The heads of risk and cyber security (Chief Risk Officer and Chief Security Officer) then work together to determine a risk treatment plan
• They will then jointly present this to the Board and Executives to:
  • Firstly, educate them on the cyber security risks likely to impact the organisation with priorities assigned based on the likely impact
  • Outline risk treatment plans for each prioritised risk
  • Present return on investment figures to the Board and Executives to gain support for the risk treatment plan that then becomes a cyber security program of works to enhance the organisation’s security posture and reduce its risk exposure.
• Once the program is running, both ‘heads of’ will regularly present to the Board and Executives the progress being made and clearly articulate the reduction in cyber security risk

• The overall risk posture and treatment plans are then updated at least six monthly in light of new and emerging cyber risks.

   

Three points need to be at this juncture:

1. Cyber security initiatives should be part of the overall organisational risk management framework, and cyber security risks should be prioritised and treated within this framework as any other organisational risk
2. Any cyber security initiative should be aligned to the organisation’s risk management goals and justified in monetary terms with respect to risks reduced.
3. The Board and Executives should be a part of this process in terms of understanding the need for cyber security initiatives as well as being the ones that approve these initiatives.  Regular and accurate reporting on this program of works is important in order to ensure the Boards and Executives have visibility of progress being made (security is a journey after all!)

 To summarise, for cyber security initiatives to be successful in an organisation, both risk and cyber security must work together:

• Risk will help determine and quantify the cyber security risks that may impact the organisation.
• Cyber security will validate these, help prioritise and implement controls that will help manage these risks.

 What are the benefits of cyber, IT and risk working together?

Organisations that break down silos and foster collaboration see substantial benefits:

• Better risk prioritisation: Resources are focused on what matters most.
• Improved resilience: Integrated teams respond faster and more effectively to incidents.
• Reduced friction: Less finger-pointing, more shared accountability.
• Stronger compliance: Coordinated approaches ensure smoother audits and adherence to regulations.
• Cultural alignment: Teams see themselves as partners, not rivals.

How do you measure the effectiveness of your cyber security measures?

Effectiveness of cyber security measures can be gauged through various metrics, including incident response time, the number of detected threats, and user awareness. Regular audits and vulnerability assessments also help identify weaknesses, ensuring your organisation maintains robust defences against evolving threats in the cyber landscape.

Assess your cyber risk management approach

Siloed approaches simply don't work against the complexity and speed of modern threats. By fostering a collaborative model that integrates IT, cybersecurity, and risk management, organisations can move beyond reactive firefighting and toward proactive, business-aligned security.

Take a critical look at your current cybersecurity model. Are IT, security, and risk teams working in harmony or in parallel? Start the conversation, bridge the gaps, and build a strategy that reflects the interconnected nature of today's threat landscape and the level of risk your organisation may face. Your resilience depends on it.

For more information on our Cyber-Security & Resilience services, please contact Ashwin Pal or visit our webpage.