Cybersecurity Risk Management – A Blog Series: Part 1
In 2013 then US President Obama directed NIST to develop a framework that would become an authoritative source for cybersecurity best practices. Other countries around the world have similar standards or are actively working on local versions. In some countries such as France, these standards are carrying the weight of law.
These cybersecurity standards create an ordered, structured approach addressing cybersecurity challenges. These standards help translate vague, fear-based concerns around cybersecurity into commonsense risk analysis, risk tolerance, and risk avoidance.
By changing the discussion away from an imprecise “fear of attack” a rational discussion can take place that has a positive impact on the organization’s bottom line. Effectively the topic of conversation shifts from fear and uncertainty concerning cybersecurity to one that is more precisely defined by the potential outcomes should those risks as defined by those fears become realized.
Cybersecurity defenses strive to alleviate cyber threats of harm against operations, assets, and individuals. These damages can take the form of financial loss, intellectual property loss, loss of privacy, and loss of reputation. All affect an organization’s ability to execute on it primary mission (usually but not always, financial profit).
Cybersecurity risk is just one of the factors of the overall risk situation that feeds into an organization’s business risk management strategy. Cybersecurity risk, like with all risks, cannot be entirely eliminated, but instead, must be managed through informed decision making processes. The objective of a cybersecurity program is to reduce the probability and effect of a cyber-event to an organization’s operations, assets, and individuals. A balanced, informed decision-making process concerning cyber risk management will lead to a positive effect on the business’ bottom line.
The set of core cybersecurity practice neicessary in our industry are well known. However, barriers to adoption still exist. Largely these obstacles are improper understanding of the risks at hand an organization’s ability to resist them. Despite the existence of regulatory and risk management incentives, finding companies that address cybersecurity effectively is still a rare occurrence. It is time to change the conversation away from the fear of a cyber-attack to something understood in all boardrooms – the bottom line.
Knowing, understanding your organization’s cybersecurity position. Knowing, understanding your organization’s appetite for risk tolerance. By knowing these two pieces of information, you begin the path to understanding the difference between where you are today in managing cyber risks and just how much gap there is to close. It is here that a strategy to improve your company’s cybersecurity readiness through comprehensive security risk management program affects the bottom line.
- Locate responsibility for cybersecurity in your organization, so that decision making, execution, and incident response are efficient and successful. This step is to assess your risk management workflows. Specify the cybersecurity risk management objectives.
- Ascertain the value of your assets to your organization and potential attackers. This step is to calculate the size of security risk.
- Model the threat landscape. Analyze security threats specific to your industry. Remember, threats are constantly evolving as new skills, techniques and tools emerge.
- Determine where security risk management functions should integrate into your organization’s infrastructure.
- Construct a cybersecurity plan so that an organization can respond to an evolving threat landscape. Analyze options to the plan. Rank the plan’s elements effectiveness in reducing risks.
- Execute on the prioritized plan to manage your organization’s cyber-risks.
- Keep in mind that program elements such as bug patching and threat monitoring are continuous. A cybersecurity risk management plan is not a single event but a continuous operation.
Have a plan, execute on that plan, measure the effectiveness of the execution of the plan, and if necessary adjust the plan to improve. These instructions are a simple approach to managing cyber risks to a positive effect on your company’s bottom line.
In part two of this blog series, I will look deeper into the importance of cybersecurity risk management in your supply chain. In the final entry, part three, I conclude with a look at the biggest risk to cybersecurity today, the misunderstanding of cyber risks.