Table of Content:
Cybersecurity risk is a moving target which literally changes from day to day. New attack vectors, zero days and other types of threats change on a constant basis. This is why you need to have an agile risk management program in place, one which is built on a risk framework that adapts to this changing environment and has built in processes to address and mitigate new risks.
Various frameworks for risk management like the NIST CSF, CIS Top 20, ISO 27001 as well new cyber risk management platforms are being used to help enterprises measure risk throughout their organization. Taking the NIST CSF as an example, the framework is comprised of five functions which include:
Below these functions are categories and sub-categories fed by controls and enhancements, which help quantify the risks. But if you have just started thinking about your cybersecurity risk management process and are looking for some quick-start tips on what to focus on, the following five considerations should be included as you start to build your plan.
Using these fundamental points, you will be able to start addressing some burning issues which are best to be addressed as soon as possible. So here are my top 5 guidelines on cyber risk management to take into account when building a cybersecurity risk management program.
Cyber Culture Hygiene and Best Practices
People are the weakest link - we've heard that repeated many many times, in particular around cybersecurity breaches. This is not a cliche, this is reality. Ensuring that your internal staff is both aware and practicing good cyber hygiene is a critical and essential piece of a sound and strong cybersecurity risk management program.
Conducting training and awareness programs internally, even before the program is fully matured, is a welcomed practice and will always be a critical part of the program later on, so you may as well get started as soon as possible.
Centraleyes has created a security awareness framework, allowing organizations to quickly quantify and train their employees and implement best practices around cyber hygiene. One training session like this can raise the level of awareness throughout the entire organization, making the employees much more aware of the threats that are out there.
Don’t underestimate how effective this could be, as it could easily supersede the deployment of more security tools. If even just one breach is averted as a result of the training, you have saved the organization millions of dollars and the ROI is simply a no brainer.
Know Your Business
One of the biggest challenges in risk management is that there is no cookie cutter solution. Every organization is different, with different priorities and business lines. As such, this requires a customized risk approach for each company that fits their environment best.
Connecting cybersecurity and risk management is not always as simple as it may seem. For example, if you are a retailer you are going to have very different business lines and assets to protect versus an energy company or a bank. Identifying and prioritizing your business assets is a fundamental first step in setting up the cybersecurity risk management program.
Once you have identified those assets, you now know what you need to protect most, and you will ensure, through a methodic prioritization process, that the defenses align with this prioritization. This will help keep the cybersecurity risk management processes effective for your organization and will have a critical impact on the success and sustainability of the program.
Don’t Guess, Use a Framework
Picking a risk management framework is a best practice in order to create structure and thoroughness in your risk assessments. Adapting this framework to your environment and adjusting it is also perfectly fine, but it is always best to start with an industry accepted framework like the NIST CSF, ISO 27001 or the CIS top 20. These frameworks do not just serve as a checklist, but also help create structure on how to think about the areas you are trying to defend.
If we look at the NIST CSF again as an example, with its 5 function areas: Identify, Protect, Detect, Respond and Recover - you can see that two out of the out of the five areas are focused on a post-breach scenario, where you have already been infiltrated by a bad actor and now the question is, “How ready are you?”
That fundamental approach where you know you may be breached and you prepare for the day after, may actually be what saves you in the end, as we live in a world where there is no 100% protection. This forward-thinking type of approach is one of the reasons why using a framework where many smart and well experienced professionals have put a lot of thought into this for you.
Another reason why adopting a framework is a good practice, is the alignment with stakeholders. You will often find yourself working with 3rd parties, clients, investors and board members, all of whom can benefit from alignment around a common and accepted framework. This alignment of your cybersecurity and risk management processes builds confidence and awareness around the effort you are putting in and the positive impact of your work. An old mentor once told me, it’s not only about what you are doing, but also how you communicate all that good work.
Through automation you are able to do what was once impossible. Large enterprises have the luxury of having more people and more capital to address challenges in the manual environment that exists in the cybersecurity risk management world today. But, in the mid-market, where being short on staff is a built in axiom, we must rely on automation tools that can replace people and manual processes.
Fortunately, there are a few cyber risk management platforms that do this really well and help automate and orchestrate a lot of the manual management processes. This can include the automatic collection of data from multiple sources including surveys, APIs and external threat intelligence from big data sources on the dark web and public web.
Following the collection of data, the next step is what we do with this data - the analysis. Automation of the analysis can provide both quantification of risks in scores as well as visualization of the results. Some tools do parts of what I had just described, but only a few unique tools take the results to the next stage - creation of the remediations tasks.
Here you should be looking for a cyber risk management platform that does not just leave you with a list of problems, but rather with an actionable list of next steps and a way to manage and prioritize them.
3rd Party Risk is Real
Vendor risk management is not a nice to have, your vendors are an extension of your organization. Your vendors are often a part of your core business and supply chain, which means a single attack on them is potentially a single attack on you, and this can be detrimental to your organization.
Creating a vendor risk program should be an essential part of your internal risk management program. Sometimes it’s also mandated by compliance you are required to meet. When doing this for just a handful of vendors, you can start with a spreadsheet to get started, but it is highly recommended that you move this into an automated risk management platform quickly, as you will find yourself with tens and possibly hundreds of vendors quite fast.
When creating the program think about how you combine self-attestation with external threat intelligence and live perimeter scanning of your vendor’s environment. With this data you will want to create an impact and probability score which will comprise your risk score. Here you will want to tier the vendors into 3 or 4 tiers so you can prioritize the high risk vendors and work accordingly to lower their risks. You will want to automate as much of this as possible and as early as possible, as having this program in place will allow you to save a tremendous amount of time later, as you scale your business and continuously monitor and maintain a tolerable level of vendor risk.