Posted on by Mission Assurancein
Each year brings new cybersecurity threats, breaches, and previously unknown vulnerabilities in established systems. Even with unprecedented vulnerabilities such as Spectre and Meltdown, the approach to dealing with the risks they pose is the same as ever: sound risk management with systematic processes to assess and respond to risks. This post offers seven considerations for cyber risk management.
The International Organization for Standardization (ISO) defines risk as the "effect of uncertainty on objectives." Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should assess the likelihood and potential impact of an event and then determine the best approach to deal with the risks: avoid, transfer, accept, or mitigate. To mitigate risks, an organization must ultimately determine what kinds of security controls (prevent, deter, detect, correct, etc.) to apply. Not all risks can be eliminated, and no organization has an unlimited budget or enough personnel to combat all risks. Risk management is about managing the effects of uncertainty on organizational objectives in a way that makes the most effective and efficient use of limited resources.
A good risk management program should establish clear communications and situational awareness about risks. This allows risk decisions to be well informed, well considered, and made in the context of organizational objectives, such as opportunities to support the organization's mission or seek business rewards. Risk management should take a broad view of risks across an organization to inform resource allocation, better manage risks, and enable accountability. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact.
Most risk management standards, such as those from ISO, COSO, and NIST, and have common key processes. In its best practices for an enterprise risk management program, the Government Accountability Office (GAO) identified six essential elements:
The first element, aligning enterprise risk management to goals and objectives, sets the foundation for the program by establishing the three pillars of enterprise cyber risk management: governance, risk appetite, and policy and procedure. Governance should include a body of risk-decision experts and decision makers using a framework of risk management processes that ensure engagement by key stakeholders (leaders, Authorizing Officials, and Risk Committee). Appetite for risks should be aligned to organizational goals and objectives. Policies and procedures communicate risk management expectations, risk definitions, and guidance throughout the enterprise. Once the risk management program is running, the remaining five elements continuously manage risk.
The following seven topics are well worth considering when planning a risk management program.
With cyber risks continuing to grow, making good risk management decisions really matters. Rushing through decision making and always saying "no" are not the right answers. A better answer is to implement a consistent risk management program. Cyber events will still happen to your organization, but it will be better prepared to deal with them.
Visit the SEI Digital Library for other publications by David.