Cybersecurity Risk Management: Frameworks, Plans, & Best Practices
In the modern landscape of cybersecurity risk management, one uncomfortable truth is clear—managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today’s most skilled teams.
Dave Hatter, a cybersecurity consultant at Intrust IT and 30 year veteran of the industry, explains, “As more of our physical world is connected to and controlled by the virtual world, and more of our business and personal information goes digital, the risks become increasingly daunting. While it has never been more important to manage cybersecurity risk, it also has never been more difficult.”
Why is managing cyber risk so much harder today than ever before?
Start with the explosion of cloud services and third-party vendors contacting sensitive data. A Ponemon Institute study estimates the average company shares confidential information with 583 third parties. IT security teams have their hands full, managing complex infrastructures full of vendor risk.
Meanwhile, organizations face a growing number of laws and regulations that govern how confidential data must be protected. Today’s enterprises are held accountable for third parties processing data on their behalf. As if handling your own risk wasn’t challenging enough—today’s organizations must manage vendor risk as well.
Don’t forget to factor in the COVID-19 pandemic with employees working remotely on unsecured networks, scrambled security protocols, and recession-driven budget and staffing cuts. Enterprises face more responsibility with fewer resources, all under the pressure of mounting regulations that come with steep penalties for non-compliance.
So, facing this multitude of obstacles, how can your organization hope to manage risk today?
It starts with building knowledge of the risk management process, identifying the critical action steps, and understanding the essential capabilities your organization will need to effectively conduct assessments and manage risk.
What is Cybersecurity Risk Management?
Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats.
Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function. Regrettably, they lack the holistic perspective necessary to address risk in a comprehensive and consistent manner.
Check Out How COVID-19 is Changing Compliance Operations and How CISOs Should Respond
So, who should own what part of security risk? The short answer is everyone – shares full ownership and responsibility. However, it gets complicated when four business functions all have a horse in the race.
Each function has its agenda, often with limited understanding and empathy for others. IT leads with fresh ideas and new technologies, often viewing security and compliance as annoying roadblocks to progress. Security knows safety but is often out of touch with regulations and evolving technologies. The sales team is looking to keep their customers happy, clamoring for an efficient way to complete security audits. Compliance wants to keep everyone out of trouble with strict adherence to regulations, often operating without an in-depth understanding of security.
Effectively managing cybersecurity risk requires all functions to operate with clearly defined roles and tasked with specific responsibilities. The days of siloed departments stumbling along in disconnected confusion are over. Today’s risk landscape requires a unified, coordinated, disciplined, and consistent management solution. Below are some key risk management action components all organizations must keep in mind:
- Development of robust policies and tools to assess vendor risk
- Identification of emergent risks, such as new regulations with business impact
- Identification of internal weaknesses such as lack of two-factor authentication
- Mitigation of IT risks, possibly through training programs or new policies and internal controls
- Testing of the overall security posture
- Documentation of vendor risk management and security for regulatory examinations or to appease prospective customers
Featured Cybersecurity Risk Management Framework: NIST Cybersecurity Framework
The Cybersecurity Risk Management Process
When it comes to managing risk, organizations generally follow a four-step process beginning with identifying risk. Next, risk is assessed based on the likelihood of threats exploiting vulnerabilities and the potential impact. Risks are prioritized, with organizations choosing from a variety of mitigation strategies. The fourth step, monitoring, is structured to risk response and controls current despite a continually shifting environment.
The good news for organizations looking to assess their risk level is that plenty of help is available. The National Institute of Standards created a third-party risk management framework known as NIST Special Publication 800-30 to guide federal information system’s risk assessments. The 800-30 framework expands on the instruction of Special Publication 800-39. It is closely related to Special Publication 800-53, another third-party risk management framework that provides a catalog of security and privacy controls for federal information systems. Though NIST SP 800-30 isn’t mandatory in the private sector, it provides a helpful guide for all organizations assessing risk.
Develop a Cybersecurity Risk Management Plan
Let’s explore each step of the cybersecurity risk management process in more detail to develop a plan.
Identify Cybersecurity Risks
Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” In other words, what are the odds of an existing threat exploiting a vulnerability, and, if so, how dire would the consequences be? Risk identification is the first step in the management process. Modern security teams have their hands full with the growth of IT systems, the explosion of regulations, and the complications of COVID creating potential risks around every corner.
When you’re looking to identify risk, you must start by understanding threats, vulnerabilities, and the consequences of their convergence.
Threats are circumstances or events with the potential to negatively affect an organization’s operations or assets through unauthorized access of information systems. Threats can manifest everywhere—in the form of hostile attacks, human errors, structural or configuration failures, and even natural disasters.
Vulnerabilities can be defined as weaknesses in an information system, security procedure, internal control, or implementation that can be exploited by a threat source. Often the result of inadequate internal functions like security, vulnerabilities can also be found externally in supply chains or vendor relationships.
Consequences can best be defined as the adverse results that occur when threats exploit vulnerabilities. Their impact measures the severity of consequences, and your organization will need to estimate such costs when attempting to assess risk. Keep in mind that these costs usually come from lost or destroyed information, which can be a significant business setback for any organization.
It’s Time to Evolve Your Approach to Security Assurance
Assess Cybersecurity Risks
Risk assessments provide an excellent opportunity to emphasize the importance of security across your organization. Assessing risk allows your team to practice communication and cooperation to play a critical role in future risk management.
What is your organization’s level of risk? Assessment is the all-important step when that answer becomes clear. Start by naming all assets and prioritizing their importance. Second, identify all possible threats and vulnerabilities in your environment. At this point, address all known vulnerabilities with appropriate controls. Next, attempt to determine the likelihood of a threat event occurring and conduct an “impact analysis” to estimate its potential consequences and cost impact. Your resulting risk determination will serve as a guide to inform risk management decisions and risk response measures moving forward.
The NIST Guide for Conducting Risk Assessments discussed in Special Publication 800-30 can help your team with a four-step progression. Prepare for your assessment by clarifying your purpose, scope, constraints, and risk model/analytics to be used. Conduct your assessment to list risks by likelihood and impact for an overall risk determination. These results will be shared and drive your team’s mitigation efforts across the enterprise. Finally, this guide directs the maintenance of your assessment by continually monitoring environments.
Identify Possible Cybersecurity Risk Mitigation Measures
Identifying and assessing risk is just the beginning. What is your organization going to do about the risk you find? What will your mitigation response be for managing risk? How will you manage residual risk? History tells us the most successful risk management teams have a well-thought plan in place to guide their risk response strategy.
The all-important third step of response starts by understanding all your options for risk mitigation—your team can employ either technological or best practice methods, ideally a combination of both. Technological risk mitigation measures include encryption, firewalls, threat hunting software, and engaging automation for increased system efficiency. Best practices for risk mitigation include:
- Cybersecurity training programs
- Updating software
- Privileged access management (PAM) solutions
- Multi-factor access authentication
- Dynamic data backup
Smart organizations know to base their risk response measures and risk management posture on real data. They prioritize risks as well as mitigation solutions using concrete data from real-world applications.
That brings us to residual cybersecurity risk. This is the risk left over after applying all mitigation measures—the type of unavoidable risk you can’t do much about. You have two choices for residual risk—learn to live with it or transfer it to an insurance provider who will shoulder it for a fee. Cybersecurity insurance provides a last-ditch option for lessening residual risk and stands to become more popular as the damage cost of cyber incidents becomes easier to calculate.
Speaking of damage costs, it has become increasingly necessary for organizations to estimate these in relation to cybersecurity risk accurately. When estimating damage costs of cybersecurity risk, you need to keep three types of expenses in mind. Operational costs involve lost time or resources and are easy to calculate. Fiscal costs can include fines for non-compliance or lost income when existing clients defect or new opportunities are lost. The hardest to calculate is the reputational cost associated with breaches that violate customer privacy and trust.
Use Ongoing Monitoring
Your organization has identified, assessed, and mitigated the risks in your environment. In a perfect world, that would be enough. But as we know, change is a constant, and your team will need to monitor environments to ensure internal controls maintain alignment with IT risk.
Your organization will want to monitor:
Regulatory change- Staying abreast of all regulations and their shifts will ensure your internal controls align with outside expectations.
Vendor risk- Be sure to assess and document security and compliance controls as new vendors are on board. Remember, their shortcomings can become your headaches.
Internal IT usage- Know what technology your internal teams use and how they use it to stay ahead of potential gaps.
Standards and Frameworks That Require a Cyber Risk Management Approach
Other than NIST SP 800-53, there are several additional cybersecurity compliance standards/frameworks that contain best practices and requirements for managing cyber risk. Below are the most well-recognized frameworks:
The international standard for information security management. Clause 6.1.2 of ISO 27001 states that an information security risk assessment must:
- Establish and maintain information security risk criteria;
- Ensure that repeated risk assessments produce “consistent, valid and comparable results”;
- “identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”;
- Identify the owners of those risks; and
- Analyze and evaluate information security risks according to the criteria established earlier.
NIST Cybersecurity Framework Version 1.1
NIST Cybersecurity Framework (CSF) contains a set of 108 recommended security actions across five critical security functions — identify, protect, detect, respond and recover. It is designed to help organizations better manage and reduce cyber risk of all types – including malware, password theft, phishing attacks, DDoS, traffic interception, social engineering, and others. Within the document’s first pillar – Identify -> Risk Assessment -> it states that “the organization understands the cybersecurity risk to organizational operations (including mission, function, image, or reputation), organizational assets, and individuals.” Specifically, it recommends organizations take the following steps:
- Identify and document asset vulnerabilities
- Tune into the latest cyber threat intelligence from information-sharing forums
- Identify and document threats, both internal and external
- Identify the potential business impacts and likelihood of risk events
- Utilize threats, vulnerabilities, likelihood, and impacts to determine risk
- Identify and prioritize risk responses
NIST CSF also has a section detailing what needs to be included within a risk management strategy, stating that “the organization’s priorities, constraints, risk tolerances, and assumptions need to be established to support operational risk decisions.” Further, the framework asks organizations to establish and implement processes to identify, assess and manage supply chain risks.
NIST Risk Management Framework
The NIST Risk Management Framework provides a process that integrates security, privacy, and cyber supply-chain risk management activities into the system development life cycle. The RFM approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector. The key steps laid out in the framework include the following:
|Prepare||Essential activities to prepare the organization to manage security and privacy risks.|
|Categorize||Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems|
|Select||Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk|
|Implement||Implement the controls in the security and privacy plans for the system and organization|
|Assess||Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.|
|Authorize||Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls is acceptable|
|Monitor||Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions.|
NIST has prepared multiple guides to make it easier for organizations to implement the RMF, which can be accessed on the NIST site.
See how Hyperproof can help you implement a risk management process that helps you maintain a continuously secure posture.
The Roles Internal compliance and Audit Teams Play in IT Risk Management
Risk management is a continual process that should always include re-assessment, new testing, and ongoing mitigation. Keep in mind, internal compliance and audit teams can play a significant role in controlling IT risk moving forward. Below are nine ways they can help:
Critical Capabilities for Managing IT Risk
Assessing risk has never been easy, and thanks to COVID-19 and the economic recession, conducting IT risk assessments is more challenging than ever. What capabilities will your team need to navigate these current challenges?
Glad you asked. Below we leave you with some critical capabilities your organization will need to conduct IT assessments and effectively manage risk today.
Collaboration and Communication Tools
As teams across the enterprise participate in risk assessment and mitigation phases, they will need the tools for effective communication. These tools should provide a clear conversation record for team members in different locations, time zones, or countries.
Risk Management Frameworks
Be sure your team takes full advantage of third-party risk management frameworks like NIST Special Publication 800-30 to guide risk assessment and management. These third-party frameworks can help audit teams perform a swifter, more precise gap analysis between compliance requirements and current operations.
This versatile tool can help with root cause analysis and the predictive analysis of emerging risks.
Single Data Repository
Here, risk, compliance, and security professionals can store risk assessments, test results, documentation, and other relevant information.
Issues Management Tools
These instruments organize assignments of specific mitigation steps and automate reminders to complete tasks in a timely fashion. They also notify senior executives if tasks don’t complete.
The flexibility to present IT risk management reports to business unit leaders and senior executives in the most desired and usable format.
Managing risk across the enterprise is harder than ever today. Modern security landscapes change frequently, and the explosion of third-party vendors, evolving technologies, and a continually expanding mine-field of regulations challenge organizations. The COVID-19 pandemic and recession have further raised the bar for security and compliance teams by creating more responsibility while diminishing resources.
With this backdrop, it’s become critically important for your organization to employ a Risk Management Process. Identify and assess to create your risk determination, then choose a mitigation strategy and continually monitor your internal controls to align with risk. Keep in mind, re-assessment, new testing, and ongoing mitigation should always play a prominent role in any risk management initiative.
In the final analysis, there’s no rest in the modern pursuit of risk management. It hardly seems fair in a climate of continuous and unparalleled change, with threats and vulnerabilities multiplying by the minute. However, with the help of analytics, collaboration/communication/issue management tools, and third-party risk management frameworks, smart and successful organizations will continue to hold their own in the battle to manage IT risk and maintain security across the enterprise.
Get the Latest on Compliance Operations.
Mark Knowles is a freelance content marketing writer specializing in articles, e-books, and whitepapers on cybersecurity, automation, and artificial intelligence. Mark has experience creating fresh content, engaging audiences, and establishing thought leadership for many top tech companies. He is based in the sunny state of Arizona but enjoys traveling the world and writing remotely.