Evolution of Cybersecurity Risk Management
Posted on Nov 2018 by Mark Coderre
In our increasingly connected world, when it comes to threat landscape and business risks, we face unprecedented challenges.
In the next three years IoT devices are expected to grow to 30 billion connected devices. According to the Boston Consulting Group, banks face 200 regulatory changes daily, as penalties for cyber threats rise to $345 billion. The average business enterprise uses 1,427 cloud services, 76 file sharing cloud services, and 210 collaboration cloud services, according to SkyHigh Magazine. A recent Hacker’s Playbook Findings Report reveals that malware attacks are successful on enterprise security more than 60% of the time.
With constant security threats looming, enterprises must find a way to identify and address the risks. But how can this be done successfully when the IT landscape is continuously evolving?
Businesses must drive risk transformation
New Security analytics can support inherent risk probability analysis with the likes of Big Data, Machine Learning, Artificial Intelligence and Behavioral Analytics. Enterprises will need to start evaluating operational risk, cyber risk and compliance risks collectively and continuously at the enterprise level, in line with Gartner’s newly defined “Integrated Risk Management” capabilities. This presents a need to quantitatively measure current and future risks and the effects of various risk treatment approaches, including prioritization and funding.
We know there is a long way to go when it comes to cyber risk management and sometimes it’s difficult for enterprises to launch and sustain their programs effectively. At TUV Rheinland OpenSky we’ve heard all kinds of stories from the field, including those that follow.
How do you make decisions on security investments?
- Control Assessment Gap: Picking a framework of controls , seeing if each controls anywhere in the organization and marking it red/yellow/green.
- Audit punishment alone: While audit has an excellent sense of control measures they are not as tied into the daily world of threat events to determine effectiveness and applicability across the enterprise.
- SES (someone else’s strategy) : Earlier in career security leaders will naturally seek advice from mentors – while helpful it may not align with key controls for the unique sets of strategic objectives of the firm.
How do you select your key controls and evaluate effectiveness?
- What are key controls? : Frequently key controls are associated with Sarbanes Oxley or other perspectives on risk vs the advanced persistent nature of threats to your assets.
- We have meetings once a quarter: Quarterly meetings to discuss key controls are a good practice, but what decision framework is used to offer up information to aid in the decision process?
- Effectiveness is an audit call: But scope for the control is important to determine where effectiveness should be measured, a role for the risk function
Is there a preferred management framework?
Many experts in our industry agree that Preferred risk management frameworks are as follows:
- NIST Cybersecurity Framework
- COBITS by ISACA
- The Impact Probability Quadrant (see below)
With risk management decisions all over the place, how do we solve those problems?
It’s important to set the stage for cyber risk prioritization and quantification by knowing what your potential loss scenarios are given your business objectives and digital strategies. With a properly established and maintained risk register you can identify cyber key controls based on real-life threat events. You can refocus allocation of precious resources towards corporate objectives by protecting critical assets and actively monitoring residual risks. This approach is true risk management, as opposed to reacting to gaps in a control assessment and requiring new skills and energy. For true risk management, regulatory frameworks, control framework conformance and internal control questionnaires need to be optimized.
A better way to assess risk
Factor Analysis of Information Risk (FAIR) is a proven methodology that speaks the language of the business and helps you prioritize what is most important in risk management. This methodology operates as both platform and open source and can operate in the “absence of data.”
The principle concepts of FAIR analysis are as follows:
- Precision versus accuracy
- Possibility versus probability
- Subjectivity versus objectivity
These above concepts in FAIR analysis will be studied in a future blog-post. For this blog-post, we shared that risk assessments can be re-tooled by being business focused, using a standardized taxonomy of risk to provide consistent risk register statements, being threat oriented, staying consistent and being better aligned to fill control gaps.
The FAIR methodology applies to all sectors and organizations of all sizes regardless of budget and regulatory landscape. It focuses on the organization’s threat profile as it pertains to corporate objectives and critical assets. It instills concepts of key controls, investment rationalization, and board reporting. FAIR methodology also promotes organizational consensus regarding security priorities.
In our next blog, we will discuss how FAIR-based risk programs truly thrive when embedded within a continual process framework, such as ISO 31000. To get support for your risk management and FAIR initiatives, see our Risk Management services.