In the modern landscape of cybersecurity, one uncomfortable truth is clear—managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today’s most skilled teams.
Dave Hatter, a cybersecurity consultant at Intrust IT and 30 year veteran of the industry, explains, “As more of our physical world is connected to and controlled by the virtual world, and more of our business and personal information goes digital, the risks become increasingly daunting. While it has never been more important to manage cyber risk, it also has never been more difficult.”
Why is managing cyber risk so much harder today than ever before?
One doesn’t need to look far for the answers. Start with the explosion of cloud services and third-party vendors contacting sensitive data. A Ponemon Institute study estimates the average company shares confidential information with 583 third parties. As such IT security teams have their hand’s full managing complex infrastructures full of vendor risk.
Meanwhile, organizations face a growing number of laws and regulations that govern how confidential data must be protected. Today’s enterprises are held accountable for third parties processing data on their behalf. As if handling your own risk wasn’t challenging enough—today’s organizations must manage vendor risk as well.
Don’t forget to factor the COVID-19 pandemic with employees working remotely on unsecured networks, scrambled security protocols, and recession-driven budget and staffing cuts. Enterprises face more responsibility with fewer resources, all under the pressure of mounting regulations that come with steep penalties for non-compliance.
So, facing this multitude of obstacles, how can your organization hope to manage risk today?
It starts with building knowledge of the risk management process, identifying the critical action steps, and understanding the essential capabilities your organization will need to effectively conduct assessments and manage risk.
This article will address all three, but first, let’s begin by examining the current state of cybersecurity risk management.
Why Organizations Need Strong Cybersecurity Risk Management Capabilities
Rapid change is the norm in cybersecurity—from new technology acquisitions to emerging regulations, the pace of change is fast and growing faster. COVID-19 forces organizations to adapt or perish, creating new operating procedures on the fly to keep pace with evolving scenarios. In this backdrop of widespread change, it’s more critical than ever for security and compliance professionals to fully understand what’s happening within their organizations at all times.
This brings us to a critical point in the discussion. The immense challenge of managing cybersecurity risk falls across the many segments of an organization. Often siloed, these segments view risk management from their business function. Regrettably, they lack a holistic perspective necessary to address risk in a comprehensive and consistent manner.
So, who should own what part of security risk? The short answer is everyone—sharing full ownership and responsibility. However, it gets complicated when four business functions all have a horse in the race.
Each function has its agenda, often with limited understanding and empathy for others. IT leads with fresh ideas and new technologies, often viewing security and compliance as annoying roadblocks to progress. Security knows safety but is often out of touch with regulations and evolving technologies. The sales team is looking to keep their customers happy, clamoring for an efficient way to complete security audits. Compliance wants to keep everyone out of trouble with strict adherence to regulations, often operating without an in-depth understanding of security.
Effectively managing cybersecurity risk requires all functions to operate with clearly defined roles and tasked with specific responsibilities. The days of siloed departments stumbling along in disconnected confusion are over. Today’s risk landscape requires a unified, coordinated, disciplined, and consistent management solution. Below are some key risk management action components all organizations must keep in mind:
- Development of robust policies and tools to assess vendor risk
- Identification of emergent risks, such as new regulations with business impact
- Identification of internal weaknesses such as lack of two-factor authentication
- Mitigation of IT risks, possibly through training programs or new policies and internal controls
- Testing of the overall security posture
- Documentation of vendor risk management and security for regulatory examinations or to appease prospective customers
The Cybersecurity Risk Management Process
When it comes to managing risk, organizations generally follow a four-step process beginning with identifying risk. Next, risk is assessed based on the likelihood of threats exploiting vulnerabilities and the potential impact. Risks are prioritized, with organizations choosing from a variety of mitigation strategies. The fourth step, monitoring, is structured to risk response and controls current despite a continually shifting environment.
The good news for organizations looking to assess their risk level is that plenty of help is available. The National Institute of Standards created a third-party risk management framework known as NIST Special Publication 800-30 to guide federal information system’s risk assessments. The 800-30 framework expands on the instruction of Special Publication 800-39. It is closely related to Special Publication 800-53, another third-party risk management framework that provides a catalog of security and privacy controls for federal information systems. Though NIST SP 800-30 isn’t mandatory in the private sector, it provides a helpful guide for all organizations assessing risk.
Let’s explore each step of the Risk Management Process in more detail.
Identify Cybersecurity Risks- Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” In other words, what are the odds of an existing threat exploiting a vulnerability, and, if so, how bad would the consequences be? Risk identification is the first step in the management process. Modern security teams have their hands full with the growth of IT systems, the explosion of regulations, and the complications of COVID creating potential risks around every corner.
Threats are circumstances or events with the potential to negatively affect an organization’s operations or assets through the unauthorized access of information systems. Threats can manifest everywhere—in the form of hostile attacks, human errors, structural or configuration failures, and even natural disasters.
Vulnerabilities can be defined as weaknesses in an information system, security procedure, internal control, or implementation that can be exploited by a threat source. Often the result of inadequate internal functions like security, vulnerabilities can also be found externally in supply chains or vendor relationships.
Consequences can best be defined as the adverse results that occur when threats exploit vulnerabilities. Their impact measures the severity of consequences, and your organization will need to estimate such costs when attempting to assess risk. Keep in mind these costs usually come in the form of lost or destroyed information, which can be a significant business setback for any organization.
Assess Cybersecurity Risks- Risk assessments provide an excellent opportunity to emphasize the importance of security across your organization. Assessing risk allows your team to practice communication and cooperation to play a critical role in future risk management.
What is your organization’s level of risk? Assessment is the all-important step when that answer becomes clear. Start by naming all assets and prioritizing their importance. Second, identify all possible threats and vulnerabilities in your environment. At this point, address all known vulnerabilities with appropriate controls. Next, attempt to determine the likelihood of a threat event occurring, and conduct an “impact analysis” to estimate its potential consequences and cost impact. Your resulting determination of risk will serve as a guide to inform risk management decisions and risk response measures moving forward.
The NIST Guide for Conducting Risk Assessments discussed in Special Publication 800-30 can help your team with a four-step progression. Prepare for your assessment by clarifying your purpose, scope, constraints, and risk model/analytics to be used. Conduct your assessment to list risks by likelihood and impact for an overall risk determination. These results will be shared and drive your team’s mitigation efforts across the enterprise. Finally, this guide directs the maintenance of your assessment by continually monitoring environments.
Identify Possible Cybersecurity Risk Mitigation Measures- Identifying and assessing risk is just the beginning. What is your organization going to do about the risk you find? What will your mitigation response be for managing risk? How will you manage residual risk? History tells us the most successful risk management teams have a well-thought plan in place to guide their risk response strategy.
The all-important third step of response starts by understanding all your options for risk mitigation—your team can employ either technological or best practice methods, ideally a combination of both. Technological risk mitigation measures include encryption, firewalls, threat hunting software, and engaging automation for increased system efficiency. Best practices for risk mitigation include cybersecurity training programs, updating software, privileged access management (PAM) solutions, multi-factor access authentication, and dynamic data backup.
Smart organizations know to base their risk response measures and risk management posture on real data. They prioritize risks as well as mitigation solutions using concrete data from real-world applications.
That brings us to residual cybersecurity risk. This is the risk left over after applying all mitigation measures—the type of unavoidable risk you can’t do much about. You have two choices for residual risk—learn to live with it or transfer it to an insurance provider who will shoulder it for a fee. Cybersecurity insurance provides a last-ditch option for lessening residual risk and stands to become more popular as the damage cost of cyber incidents becomes easier to calculate.
Speaking of damage costs, it has become increasingly necessary for organizations to accurately estimate these in relation to cybersecurity risk. When estimating damage costs of cybersecurity risk, you need to keep three types of costs in mind. Operational costs involve lost time or resources and are easy to calculate. Fiscal costs can include fines for non-compliance or lost income when existing clients defect or new opportunities are lost. The hardest to calculate is the reputational cost associated with breaches that violate customer privacy and trust.
Ongoing Monitoring- Your organization has identified, assessed, and mitigated the risks in your environment. In a perfect world, that would be enough. But as we know, change is a constant, and your team will need to monitor environments to ensure internal controls maintain alignment with IT risk. Your organization will want to monitor:
Regulatory change- Staying abreast of all regulations and their shifts will ensure your internal controls align with outside expectations.
Vendor risk- Be sure to assess and document security and compliance controls as new vendors onboard. Remember, their shortcomings can become your headaches.
Internal IT usage- Know what technology your internal teams use and how they use it to stay ahead of potential gaps.
The Roles Internal compliance and Audit Teams Play in IT Risk Management
Risk management is a continual process that should always include re-assessment, new testing, and ongoing mitigation. Keep in mind internal compliance and audit teams can play a significant role in controlling IT risk moving forward. Below are nine ways they can help:
Critical Capabilities for Managing IT Risk
Assessing risk has never been easy, and thanks to COVID-19 and the economic recession, conducting IT risk assessments is more challenging than ever. What capabilities will your team need to navigate these current challenges?
Glad you asked. Below we leave you with some critical capabilities your organization will need to conduct IT assessments and effectively manage risk today.
Collaboration and communication tools- As teams across the enterprise participate in risk assessment and mitigation phases, they will need the tools for effective communication. These tools should provide a clear conversation record for team members in different locations, time-zones, or countries.
Risk management frameworks- Be sure your team takes full advantage of third-party risk management frameworks like NIST Special Publication 800-30 to guide risk assessment and management. These third-party frameworks can help audit teams perform a swifter, more precise gap analysis between compliance requirements and current operations.
Analytics- This versatile tool can help with root cause analysis and the predictive analysis of emerging risks.
Single data repository – Here, risk, compliance and security professionals can store risk assessments, test results, documentation, and other relevant information.
Issues management tools- These instruments organize assignments of specific mitigation steps and automate reminders to complete tasks in a timely fashion. They also notify senior executives if tasks don’t complete.
Versatile reporting- The flexibility to present IT risk management reports to business unit leaders and senior executives in the most desired and usable format.
Managing risk across the enterprise is harder than ever today. Modern security landscapes change frequently, and the explosion of third-party vendors, evolving technologies, and a continually expanding mine-field of regulations challenge organizations. The COVID-19 pandemic and recession have further raised the bar for security and compliance teams by creating more responsibility while diminishing resources.
With this backdrop, it’s become critically important for your organization to employ a four-step Risk Management Process. Identify and assess to create your risk determination, then choose a mitigation strategy and continually monitor your internal controls to align with risk. Keep in mind re-assessment, new testing, and ongoing mitigation should always play a large role in any risk management initiative.
In the final analysis, there’s no rest in the modern pursuit of risk management. It hardly seems fair in a climate of continuous and unparalleled change, with threats and vulnerabilities multiplying by-the-minute. However, with the help of analytics, collaboration/communication/issue management tools, and third-party risk management frameworks, smart and successful organizations will continue to hold their own in the battle to manage IT risk and maintain security across the enterprise.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Hyperproof Team. Read the original post at: https://hyperproof.io/resource/cybersecurity-risk-management-process/