In the modern landscape of cybersecurity risk management, one uncomfortable truth is clear — managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today’s most skilled teams.
Dave Hatter, a cybersecurity consultant at Intrust IT and 30-year veteran of the industry, explains, “As more of our physical world is connected to and controlled by the virtual world, and more of our business and personal information goes digital, the risks become increasingly daunting. While it has never been more important to manage cybersecurity risk, it also has never been more difficult.”
Why is managing cyber risk so much more complex today than ever before?
Start with the explosion of cloud services and third-party vendors contacting sensitive data. A Ponemon Institute study estimates the average company shares confidential information with 583 third parties. IT security teams have their hands full, managing complex infrastructures full of vendor risk.
Meanwhile, organizations face a growing number of laws and regulations that govern how confidential data must be protected. Today’s enterprises are held accountable for third parties processing data on their behalf. As if handling your own risk wasn’t challenging enough, today’s organizations must also manage vendor risk.
Don’t forget to factor in the COVID-19 pandemic with employees working remotely on unsecured networks, scrambled security protocols, and recession-driven budget and staffing cuts. Enterprises face more responsibility with fewer resources, all under the pressure of mounting regulations that come with steep penalties for non-compliance.
So, facing this multitude of obstacles, how can your organization hope to manage risk today?
It starts with building knowledge of the risk management process, identifying the critical action steps, and understanding the essential capabilities your organization will need to conduct assessments and manage risk effectively
Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats.
Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function. Regrettably, they lack the holistic perspective necessary to address risk in a comprehensive and consistent manner.
So, who should own what part of security risk? The short answer is everyone – shares full ownership and responsibility. However, it gets complicated when four business functions all have a horse in the race.
Each function has its agenda, often with limited understanding and empathy for others. IT leads with fresh ideas and new technologies, often viewing security and compliance as annoying roadblocks to progress. Security knows safety but is often out of touch with regulations and evolving technologies. The sales team is looking to keep their customers happy, clamoring for an efficient way to complete security audits. Compliance wants to keep everyone out of trouble with strict adherence to regulations, often operating without an in-depth understanding of security.
Effectively managing cybersecurity risk requires all functions to operate with clearly defined roles and be tasked with specific responsibilities. The days of siloed departments stumbling along in disconnected confusion are over. Today’s risk landscape requires a unified, coordinated, disciplined, and consistent management solution. Below are some key risk management action components all organizations must keep in mind:
Featured Cybersecurity Risk Management Framework: NIST Cybersecurity Framework
When it comes to managing risk, organizations generally follow a four-step process beginning with identifying risk. Next, risk is assessed based on the likelihood of threats exploiting vulnerabilities and the potential impact. Risks are prioritized, with organizations choosing from a variety of mitigation strategies. The fourth step, monitoring, is structured to risk response and controls current despite a continually shifting environment.
The good news for organizations looking to assess their risk level is that plenty of help is available. The National Institute of Standards created a third-party risk management framework known as NIST Special Publication 800-30 to guide federal information system’s risk assessments. The 800-30 framework expands on the instruction of Special Publication 800-39.
It is closely related to Special Publication 800-53, another third-party risk management framework that provides a catalog of security and privacy controls for federal information systems. Though NIST SP 800-30 isn’t mandatory in the private sector, it provides a helpful guide for all organizations assessing risk.
Let’s explore each step of the cybersecurity risk management process in more detail to develop a plan.
Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” In other words, what are the odds of an existing threat exploiting a vulnerability, and if so, how dire would the consequences be? Risk identification is the first step in the management process. Modern security teams have their hands full with the growth of IT systems, the explosion of regulations, and the complications of COVID, creating potential risks around every corner.
When looking to identify risk, you must start by understanding threats, vulnerabilities, and the consequences of their convergence.
Threats are circumstances or events with the potential to negatively affect an organization’s operations or assets through unauthorized access of information systems. Threats can manifest everywhere — in the form of hostile attacks, human errors, structural or configuration failures, and even natural disasters.
Vulnerabilities can be defined as weaknesses in an information system, security procedure, internal control, or implementation that a threat source can exploit. Often due to inadequate internal functions like security, vulnerabilities can also be found externally in supply chains or vendor relationships.
Consequences can best be defined as the adverse results that occur when threats exploit vulnerabilities. Their impact measures the severity of consequences, and your organization will need to estimate such costs when attempting to assess risk. Keep in mind that these costs usually come from lost or destroyed information, which can be a significant business setback for any organization.
Risk assessments provide an excellent opportunity to emphasize the importance of security across your organization. Assessing risk allows your team to practice communication and cooperation to play a critical role in future risk management.
What is your organization’s level of risk? Assessment is the all-important step when that answer becomes clear. Start by naming all assets and prioritizing their importance. Second, identify all possible threats and vulnerabilities in your environment. At this point, address all known vulnerabilities with appropriate controls. Next, attempt to determine the likelihood of a threat event occurring and conduct an “impact analysis” to estimate its potential consequences and cost impact. Your resulting risk determination will serve as a guide to inform risk management decisions and risk response measures moving forward.
The NIST Guide for Conducting Risk Assessments discussed in Special Publication 800-30 can help your team with a four-step progression. Prepare for your assessment by clarifying your purpose, scope, constraints, and risk model/analytics to be used. Conduct your assessment to list risks by likelihood and impact for an overall risk determination. These results will be shared and drive your team’s mitigation efforts across the enterprise. Finally, this guide directs the maintenance of your assessment by continually monitoring environments.
Identifying and assessing risk is just the beginning. What is your organization going to do about the risk you find? What will your mitigation response be for managing risk? How will you manage residual risk? History tells us the most successful risk management teams have a well-thought plan in place to guide their risk response strategy.
The all-important third step of response starts by understanding all your options for risk mitigation — your team can employ either technological or best practice methods, ideally a combination of both. Technological risk mitigation measures include encryption, firewalls, threat hunting software, and engaging automation for increased system efficiency. Best practices for risk mitigation include:
Smart organizations know to base their risk response measures and risk management posture on real data. They prioritize risks as well as mitigation solutions using concrete data from real-world applications.
That brings us to residual cybersecurity risk. This is the risk left over after applying all mitigation measures — the type of unavoidable risk you can’t do much about. You have two choices for residual risk — learn to live with it or transfer it to an insurance provider who will shoulder it for a fee. Cybersecurity insurance provides a last-ditch option for lessening residual risk and stands to become more popular as the damage cost of cyber incidents becomes easier to calculate.
Speaking of damage costs, it has become increasingly necessary for organizations to estimate these in relation to cybersecurity risk accurately. When estimating damage costs of cybersecurity risk, you need to consider three types of expenses. Operational costs involve lost time or resources and are easy to calculate. Fiscal costs can include fines for non-compliance or lost income when existing clients defect or new opportunities are lost. The reputational cost associated with breaches that violate customer privacy and trust is the hardest to calculate.
Your organization has identified, assessed, and mitigated the risks in your environment. In a perfect world, that would be enough. But as we know, change is a constant, and your team will need to monitor environments to ensure internal controls maintain alignment with IT risk.
Your organization will want to monitor:
Regulatory change– Staying abreast of all regulations and their shifts will ensure your internal controls align with outside expectations.
Vendor risk– Be sure to assess and document security and compliance controls as new vendors are on board. Remember, their shortcomings can become your headaches.
Internal IT usage– Know what technology your internal teams use and how they use it to stay ahead of potential gaps.
Other than NIST SP 800-53, several additional cybersecurity compliance standards/frameworks contain best practices and requirements for managing cyber risk. Below are the most well-recognized frameworks:
The international standard for information security management. Clause 6.1.2 of ISO 27001 states that an information security risk assessment must:
NIST Cybersecurity Framework (CSF) contains a set of 108 recommended security actions across five critical security functions — identify, protect, detect, respond and recover. It is designed to help organizations better manage and reduce cyber risk of all types – including malware, password theft, phishing attacks, DDoS, traffic interception, social engineering, and others.
Within the document’s first pillar – Identify -> Risk Assessment -> it states that “the organization understands the cybersecurity risk to organizational operations (including mission, function, image, or reputation), organizational assets, and individuals.” Specifically, it recommends organizations take the following steps:
NIST CSF also has a section detailing what needs to be included within a risk management strategy, stating that “the organization’s priorities, constraints, risk tolerances, and assumptions need to be established to support operational risk decisions.” Further, the framework asks organizations to establish and implement processes to identify, assess and manage supply chain risks.
The NIST Risk Management Framework provides a process that integrates security, privacy, and cyber supply-chain risk management activities into the system development life cycle. The RFM approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization, regardless of size or sector. The key steps in the framework include the following:
Step | Purpose |
Prepare | Essential activities to prepare the organization to manage security and privacy risks. |
Categorize | Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems |
Select | Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk |
Implement | Implement the controls in the security and privacy plans for the system and organization |
Assess | Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. |
Authorize | Provide accountability by requiring a senior official to determine if the security and privacy risk based on the system’s operation or the use of common controls is acceptable |
Monitor | Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. |
NIST has prepared multiple guides to make it easier for organizations to implement the RMF, which can be accessed on the NIST site.
Risk management is a continual process that should always include re-assessment, new testing, and ongoing mitigation. Keep in mind that internal compliance and audit teams can significantly control IT risk moving forward. Below are nine ways they can help:
Assessing risk has never been easy, and thanks to COVID-19 and the economic recession, conducting IT risk assessments is more challenging than ever. What capabilities will your team need to navigate these current challenges?
Glad you asked. Below, we leave you with some critical capabilities your organization will need to conduct IT assessments and effectively manage risk today.
As teams across the enterprise participate in risk assessment and mitigation phases, they will need the tools for effective communication. These tools should provide a clear conversation record for team members in different locations, time zones, or countries.
Be sure your team takes full advantage of third-party risk management frameworks like NIST Special Publication 800-30 to guide risk assessment and management. These third-party frameworks can help audit teams perform a swifter, more precise gap analysis between compliance requirements and current operations.
This versatile tool can help with root cause analysis and the predictive analysis of emerging risks.
Here, risk, compliance, and security professionals can store risk assessments, test results, documentation, and other relevant information.
These instruments organize assignments of specific mitigation steps and automate reminders to complete tasks promptly. They also notify senior executives if tasks don’t complete.
The flexibility to present IT risk management reports to business unit leaders and senior executives in the most desired and usable format.
Managing risk across the enterprise is harder than ever today. Modern security landscapes change frequently, and the explosion of third-party vendors, evolving technologies, and a continually expanding mine-field of regulations challenge organizations. The COVID-19 pandemic and recession have further raised the bar for security and compliance teams by creating more responsibility while diminishing resources.
With this backdrop, it’s become critical for your organization to employ a Risk Management Process. Identify and assess to create your risk determination, then choose a mitigation strategy and continually monitor your internal controls to align with risk. Keep in mind that re-assessment, new testing, and ongoing mitigation should always play a prominent role in any risk management initiative.
In the final analysis, there’s no rest in the modern pursuit of risk management. It hardly seems fair in a climate of continuous and unparalleled change, with threats and vulnerabilities multiplying by the minute. However, with the help of analytics, collaboration/communication/issue management tools, and third-party risk management frameworks, smart and successful organizations will continue to hold their own in the battle to manage IT risk and maintain security across the enterprise.
The post Cybersecurity Risk Management: Frameworks, Plans, & Best Practices appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Mark Knowles. Read the original post at: https://hyperproof.io/resource/cybersecurity-risk-management-process/