Chances are your organization is either working feverishly to field a cyber risk management program or improve your current program to make it more efficient. The recognition of the importance of risk-based security appears consistent across organizations. A 2013 Ponemon and Tripwire study reported that 81 percent of security and risk professionals in the US said their organizations had a significant or very significant commitment to risk-based security management. Unfortunately, the same study said that only 29 percent of those respondents felt their organization had a formal security risk management strategy that was applied consistently across the enterprise.
There are many challenges with implementing a cyber risk management program. These challenges may differ if the organization is starting a program from scratch, working to incorporate cyber risk into an already established risk program or perhaps working to transition from a compliance-based security program. No matter where your organization sits in this spectrum, there are some key actions that can be taken to strengthen an organization’s risk posture.
Incorporate cyber risk into the organization’s existing risk program
Although many organizations already have an existing risk program, it is not uncommon to find a cyber risk program started and managed external to that structure. Often times this is due to the cyber risk effort evolving from the organization’s cybersecurity program. This does provide the benefit of a great deal of technical expertise but at the detriment of risk and line-of-business expertise. The result is misunderstood or poorly developed risk tolerances that do not align with business objectives and the organization’s inability to properly prioritize risk mitigation actions across the organization.
The key here is to arrive at a structure that has, or at least is based upon, a single, common language, risk tolerance criteria and risk catalog/register. The structure needs to include risk managers, security managers and business unit executives. Organizing the cyber risk program at this higher organizational level and out of IT can also aid in developing a cyber-aware culture in the organization.
Focus on the correct assets
The first major component of any risk methodology is identification. An organization’s specific risk methodology may refer to this step as resource profiling, information system categorization, identification of IT services or something else entirely. The goal, however, is the same—identification of those information assets that must be secured to meet business objectives. If you do not know what is important, not only will you not know what to focus your defenses on, but you will have a harder time justifying a risk assigned to an asset. This discussion should not start with routers and servers, but with the information and services upon which the business depends. Once those are defined, prioritized and agreed upon, then IT can begin cataloging the relevant critical hardware and software. Few organizations have sufficient resources to implement all desired security practices. Identifying critical assets first focuses your risk program and your scarce resources. Doing this wrong could mean cyber risk ends up being defined in terms of compliance and will impact criticality of the asset at risk.
Expand the use of non-technical controls
On one hand, it only makes sense that technology seems to have become the default answer when protecting information assets. The variety and effectiveness of technical solutions available for consideration have never been greater than they are today. Unfortunately, this focus has come at the cost of neglecting the human layer of our information systems. Focused, recurring awareness training and exercises, behavior management, and incentivizing desired actions can build an organization’s workforce’s ability to prevent, accurately detect, and quickly react to cyber incidents.
I have only just begun to touch on these considerations for more effective cyber risk management. I will be diving deeper and looking forward to the dialog during my presentation at the CSX North America 2015 Conference. Hope to see you there.
Douglas Rausch, CISSP
President, Aurora CyberSecurity Consultants, Inc.