Posted on Aug 10, 2020
Nearly all cybersecurity regulations and industry standards start with a risk assessment process. However, for many organizations, formalizing their series of risk reviews into an enterprise cyber risk management framework can feel overwhelming. Operationalizing your security risk by developing an enterprise risk management framework can provide a more effective strategy for the long term.
Before developing an enterprise risk management (ERM) framework, you need a strong understanding of the benefits it gives to your organization.
An enterprise risk management framework referred to as an integrated framework by some regulations and industry standards, requires you to identify known risks, review any changes made to your IT portfolio, assess new risks, and work with management to determine how to improve the risk reporting.
Functionally, by continuously iterating this series of steps, you create an overarching program with repeatable actions that more proactively address risks and enhance risk response activities.
The first step to developing a successful ERM framework is to create a cross-functional team and determine the organization’s most imperative business goals. In many organizations, this team includes the IT department, line of business leadership, and senior executive leadership.
For example, if your company is moving towards a cloud-first or cloud-only strategy, the team should include:
Each internal stakeholder has different needs and concerns so by bringing them together your organization can make more informed decisions.
As part of developing an ERM framework, you need to identify risk across your current IT portfolio. The basic premise underlying this step is that you can’t secure everything, but you definitely can’t secure the locations that you don’t know exist. As your organization builds out its digital transformation strategy, you expand the attack surface.
For example, you should ask:
Understanding all the potential locations, data types, and users that can pose a risk to your information security posture means that you have a deeper understanding of potential threats and can create stronger risk mitigation strategies.
Once you identify the risks, you need to examine the level of risk associated with each one. Since not all assets are equally important, you need to think like a malicious actor and decide what resources are most important.
When assessing risk, you should start by looking at the highest risk data types, systems, networks, and software. Some questions to ask include:
Depending on the sensitivity of data and the location where you store it, the risks can be set as low, medium, or high. For example, publicly available information stored in an on-premises database that doesn’t connect to the internet is a low risk. Meanwhile, PII stored in a cloud database might be high risk since misconfigurations can leave it exposed to the world, creating a data breach.
Analyzing risk takes the identification and assessment steps and levels them up a bit. Now that you know what data you have, where it resides, who uses it, and the different types of risk involved, you can analyze the risk more effectively.
Just like not all risks are equal, the likelihood of a data breach varies and the impact a data breach has on your organization varies. The general equation for analyzing risk is:
Impact of Data Incident X Likelihood of a Data Incident/Costs Incurred
For example, if a database that doesn’t store any sensitive data is breached, the costs incurred and impact would be low. Therefore, even if a high likelihood of incident exists, the low costs and impact mean that the risk is low or medium. However, if you store cardholder data on a segmented network, the impact would be high - both financial and reputational - and so would the costs incurred. Thus, even if the likelihood is medium or low, this area of your IT portfolio is likely a high risk overall.
Once you’ve analyzed all risks, you need to determine your risk tolerance. Some risks might be refused, such as no longer collecting certain types of user data, because they provide too little value to the company compared to the level of risk involved. In some cases, you will accept the risk because the location, data type, or service is imperative to continued business operations. You might also choose to transfer risk by hiring a vendor or purchasing cyber risk insurance. Finally, many organizations set controls, such as encryption, to mitigate risks.
Once you’ve established your risk tolerance and discussed it with the internal stakeholders, you can put a plan into place.
How to continuously monitor and iterate your risk management processes
Even after deciding to transfer or mitigate risk, your organization needs to continuously monitor for new risks. IT portfolios, particularly with the ability to up- and down-scale cloud services, are no longer static. Whether you’re adding new applications or increasing processing power with workloads or containers, your IT ecosystem continues to evolve.
Similarly, malicious actors continue to evolve their threat methodologies. When developing your ERM, you need to incorporate continuous monitoring to protect the organization. As part of this process, you want to consider monitoring:
Since malicious actors will be actively looking to exploit weaknesses across the ecosystem, you need to ensure that your ERM planning includes owned IT and vendor IT controls.
SecurityScorecard’s security ratings platform makes it easier for organizations to assess risk across their connected IT ecosystems. Our platform provides easy-to-read scores using an A through F rating system for at-a-glance visibility into controls’ effectiveness.
For organizations developing an ERM framework, SecurityScorecard’s ten risk factors provide a starting point for looking at high-risk networks, services, and software. Then, by looking at the individual scores provided across the ten groups of risk factors, organizations can prioritize the areas that need strengthening.
With organizations rapidly moving to cloud-first IT infrastructures, SecurityScorecard enables them to accelerate their risk, security, and compliance strategies.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.