New cybersecurity threats and breaches emerge each year. Even with unprecedented vulnerabilities such as Spectre and Meltdown, the approach to dealing with the risks they pose is the same as ever: sound risk management with systematic processes to assess and respond to risks. Here are considerations for cyber risk management.
Risk management is the ongoing process of identifying, assessing and responding risk. To manage risk, organizations should assess the likelihood and potential impact of an event and then determine the best approach to deal with the risks: avoid, transfer, accept, or mitigate. To mitigate risks, an organization must ultimately determine what kinds of security controls (prevent, deter, detect, correct, etc.) to apply. Not all risks can be eliminated, and no organization has an unlimited budget or enough personnel to combat all risks. Risk management is about managing the effects of uncertainty on organizational objectives in a way that makes the most effective and efficient use of limited resources.
A good risk management program should establish clear communications and situational awareness about risks. This allows risk decisions to be well informed, well considered, and made in the context of organizational objectives, such as opportunities to support the organization’s mission or seek business rewards. Risk management should take a broad view of risks across an organization to inform resource allocation, better manage risks, and enable accountability. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact.
The following seven considerations when planning a risk management program.
- Culture. Leaders should establish a culture of cybersecurity and risk management throughout the organization. By defining a governance structure and communicating intent and expectations, leaders and managers ensure appropriate leadership involvement, accountability, and training. That last one is critical: ongoing training is required to maintain expertise and deal with new risks.
- Information sharing. Security is a team sport. The right stakeholders must be aware of risks, particularly of cross-cutting and shared risks, and be involved in decision making. Communication processes should include thresholds and criteria for communicating about and escalating risks. The potential business impact of cyber risks should be made clear. Information-sharing tools, such as dashboards of relevant metrics, can keep stakeholders aware and involved.
- Priorities. All organizations have limited budget and staff. To prioritize risks and responses, you need information, such as trends over time, potential impact, time horizon for impact, and when a risk will likely materialize (near term, mid term, or long term). This information will enable comparisons of risks.
- Resilience. We can’t guarantee success in protecting against all risks. Risk management must also enable continuity of critical missions during and after disruptive or destructive events, including cyber attack. Resilience is an emergent property of an entity to be able to continue to operate and perform its mission under operational stress and disruption. Many organizations use the CERT Resilience Management Model (CERT-RMM) to manage and improve their operational resilience. The model includes Risk Management as one of its 26 process areas.
- Speed. When an organization is exposed to a risk, speedy response can minimize impact. Identifying risks early helps. Incident response and recovery depend on planning and preparation for incident management. Incident management plans should be exercised periodically.
- Threat environment. Cybersecurity does not always pay enough attention to the threat environment. Organizations should improve their intelligence into adversary capabilities (consider network security sensors and other reporting) while also accounting for risks from third parties (supply chain) and insider threats. Insiders, whether malicious or inadvertent (such as phishing victims), are the cause of most security problems.
- Cyber hygiene. Implementing basic cyber hygiene practices is a good starting point for cyber risk management. Cyber hygiene focuses on basic activities to secure infrastructure, prevent attacks, and reduce risks. The Center for Internet Security (CIS) has a list of 20 Cyber security controls. The SEI recently released a baseline set of 11 cyber hygiene practices. When implementing hygiene practices, start by improving your knowledge of your own high-value services and assets. These require additional protection, including enhanced access controls and system monitoring. Read more in our blog post on cyber hygiene.
With cyber risks continuing to grow, making good risk management decisions really matters. Rushing through decision making and always saying “no” are not the right answers. A better answer is to implement a consistent risk management program. Cyber events will still happen to your organization, but it will be better prepared to deal with them.