Posted on Mar 22, 2018
Cybersecurity threats and attacks across various business sectors are on the rise pressuring for organizations to continuously assess the risks to any information. While the General Data Protection Regulation (GDPR) has garnered a lot of buzz in 2018, many standards and regulations in the United States also require cybersecurity.
But what are the technical details and operational steps needed to meet the high level guidance on cybersecurity risk? A recent Advisen survey revealed some interesting statistics:
In short, these statistics paint a grim picture over the state of cybersecurity in the United States. While organizations are aware of the high risk of cyber attacks, management team involvement may be decreasing, and organizations may not be evolving their cybersecurity programs quickly enough.
Many organizations have moved to a risk analysis security first compliance posture to enable stronger risk mitigation strategies and incorporate senior management oversight. However, identifying the potential risks to your environment only acts as the first step to understanding your overall risk. In order to identify all potential risks and engage in a full risk analysis that appropriately assesses the overall risk facing your data, you need to incorporate vendor risk as part of your risk management process.
That’s a lot of risk discussion, but you also have a lot of places in your overarching ecosystem that create vulnerabilities. Using a risk management process that establishes a security-first approach to your organization’s data environment and ecosystem means that you’re locking down potential weaknesses first and then backtracking to ensure you’ve aligned controls to standards and regulations. This approach, although it seems backward from a traditional compliance point-of-view, functions as a stronger risk mitigation program by continuously monitoring your data protection to stay ahead of hackers. Standards and regulations mean well, but as malicious attacks increasingly become sophisticated the best practices within these documents may be outdated in a single moment.
An information risk management (IRM) program consists of aligning your information assets to a risk analysis, creating IRM policies that formalize the reasoning and decisions, and communicating these decisions with senior management and the Board of Directors. The National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) both provide guidance for establishing an IRM.
For example, the September 2017 NIST update to NIST 800-37 focuses on promoting information security by recognizing the need for organizational preparation as a key function in the risk mitigation process.
In fact, the core standards organization, ISO, updated its ISO 27005 in July 2018 to focus more on the information risk management process.
Specific to the United States, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated it enterprise risk management framework to minimize data threats while requiring organizations to detail potential risks and manage risks more proactively.
As risk analysis increasingly drives information security practices, you need to focus on a risk treatment program that begins with risk identification, establishes an acceptable level of risk, defines your risk treatment protocols, and create risk mitigation processes.
In order to appropriately manage risk, you need to create an IRM Team consisting of stakeholders across the organization. Relying solely on your IT department may leave gaps in the process. To determine the stakeholders, you should explore the departments integral to risk identification. For example, you might want to ask yourself:
For example, while your IT department sets the controls that protect your information, your human resources department handles a lot of sensitive data. You need to incorporate stakeholders who understand the data risks unique to their role in your organization so that they can work with your Chief Information Officer and Chief Information Security Officer. Additionally, many United States regulations, such as the Sarbanes-Oxley Act of 2002 (SOX) require senior management and Board of Director oversight so they should also be included as part of your IRM team.
Many organizations forget that businesses processes and organizational business objectives should be the baseline for their risk analysis. Senior management needs to not only review the current business objectives but think about the future as part of the risk identification process. Some questions to ask might include:
Understanding the current business objectives and future goals allows organizations to create stronger risk mitigation strategies. Many organizational goals rely on adding new vendors whose software-as-a-service products enable scalability. Therefore, you need to determine where you are as well as where you want to be so that you can protect the data that grows your organization and choose vendors who align with your acceptable level of risk.
The next step in the risk analysis process requires you to look at all the places you transmit, store, or access data. This step often becomes overwhelming as you add more cloud storage locations that streamline employee workflows. Some questions to ask here might include:
Once you know what information you need to protect and where it resides, you need to review the users accessing it. Using multi-factor authentication and maintaining a “need to know” access protocol protects your information.
These questions can help you manage risks to critical information because employees lack password hygiene or decide to use the information maliciously upon employment termination.
Once you’ve completed the risk identification process, You need to review what risks you want to accept, transfer, refuse, or mitigate. To determine the acceptable level of risk, you may want to ask some questions such as:
Your information risk management (IRM) process needs to incorporate the full level of tolerances and strategies that protect your environment. In some cases, you may decide that a risk is unacceptable. For example, you may want to limit consultants from accessing your corporate networks and servers. In other instances, you may need to find ways to mitigate risks with controls such as password management or a Bring-Your-Own-Device policy.
Once you’ve set the risk tolerance, you need to define controls that manage that risk. This process is also called risk treatment. Your data ecosystem can leave you at risk for a variety of data breach scenarios, so you need to create information risk management (IRM) policies that outline your risk treatment decisions. In doing this, you need to question:
Defining your controls includes everything from establishing passwords to requiring anti-malware protection on devices that connect to your systems and networks. Creating a clearly defined risk treatment program enables a stronger security-first position since your IRM policies focus on protecting data proactively rather than reactively changing your security controls after a data event occurs.
Creating a holistic security-first approach to risk treatment and management means using IRM policies to help create a risk register. A risk register creates a tracking list that establishes a mechanism for responding to security threats. Your IRM policies, which should outline the entire risk management process, help establish the risk register by providing the list of risks monitored and a threat’s impact.
Although this process seems intuitive, the larger your environment and ecosystem, the more information you need to track. As you add vendors and business partners, you increase the risk register’s length making threat monitoring cumbersome.
SecurityScorecard continuously monitors threats to your environment across ten factors: application security, DNS health, network security, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering.
Using these ten factors, organizations can streamline the risk management process. A primary hassle for those engaging in the risk management process lies in defining risks and establishing definitions for controls that mitigate overall risk. The ten factors remove the burden of identifying both risks to the environment and ecosystem as well as controls that mitigate risk. Moreover, you can use these same ten factors to quantify your risk monitoring and reaction, as well as the security of your vendors.
SecurityScorecard’s continuous cyber monitoring tool can help alleviate bandwidth problems and help facilitate a cybersecurity program more in line with the sophisticated cyberthreat landscape.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.