The Do’s and Don’ts Of Security Risk Management

Managing risk effectively is a balancing act. Leveraging data while safeguarding it requires careful consideration and the application of appropriate controls.

It’s not just a matter of choosing risk methodologies based on contractual or regulatory requirements, although these will play a part, but of selecting these based on the needs of the organisation itself, which means identifying acceptable and unacceptable risks that are aligned to the risk appetite of the business.

There are a number of ways in which risk management can be misapplied. Firstly, it should fit the organisation and this means going beyond identifying risks to having a clear understanding of the goals and priorities of the business. Why? Because this sees risk management enabling the business to meet its goals without breaking either compliance commitments or risk appetite.

Risk As A Business Tool

We also need to understand what matters to the organisation in terms of the information it needs to collect, process, store and share to help it meet these business goals and priorities. This approach then allows risk management to become integral to business decision making to the point where it becomes instinctive. Once specific risk criteria are implemented some business decisions can then rely on these repeatable “canned” mitigations allowing delegated risk decisions which increase agility in the marketplace.

Another key sticking point is how risk is communicated and acted upon. It’s vital to support those at the coalface, so those charged with the responsibility for managing information risk within the organisation must have the right skills and support to be effective. As part and parcel of this, they also need access to sufficient information from every corner of the business, with input from the right people at the right time. This includes SME’s (technical/data protection specialists/vendors etc) to ensure that an accurate picture of information risk can be formed and clearly articulated.

How that risk intelligence is shared is absolutely critical to mitigating that risk. If those responsible for the provision of resources don’t understand the level of risk involved, they can’t make timely, informed and objective risk management decisions, so the risk must be translated.

Avoid ‘risk speak’

For example, risk is often analysed using matrixes and metrics leading to a Red Amber Green (RAG) assessment or perceived risk number ie 42. Although effective when visualising or triaging risk, senior management need this information to be translated into business terms. This can be achieved by stating what the impact of a risk occurring would mean against an agreed set of parameters, such as loss of business, reputational damage, financial impact or punitive measures such as penalties.

Likelihood can be a bit of a moving feast. The impact, whether it is deemed highly unlikely or very likely, will still be realised if the event happens so the risk decisions must be cognisant of this.

Ownership of risk decisions should also be documented and reviewed at planned intervals and also where specific triggers are met. These might include a change in the direction of the business, a heightened risk environment or a re-evaluation following a security incident or other external influences.

Refining Risk

Risk management isn’t a onetime process and will require revaluation and fine-tuning. It must evolve to ensure that any systems used to collect, process or store information have appropriate risk mitigation controls applied throughout their lifespan. We have all heard of the horror stories around IT being disposed of without data sanitisation! Often this can be down to a lack of funding regarding secure disposal or reuse of old IT systems.

Finally, risk management needs to be adaptive to the climate in which it is used and to the evolution of risks or emergence of new ones. We’ve seen countless examples of this over the past few years, from businesses adapting to meet the risks posed by the Internet of Things to those posed by working remotely during the pandemic.

Risk is therefore not static but neither does it need to be restrictive. Done correctly, it can bring about continuous improvement and ultimately leads to gains or growth within the business.

David Adams is a Security Consultant at Prism Infosec

You Might Also Read: 

Four Questions To Ask After An Attack:

 

« How Long Does It Take Before An Attack Is Detected?
Is It Time To Consolidate Systems? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

DLA Piper

DLA Piper

DLA Piper is a global law firm with offices throughout the Americas, Asia Pacific, Europe and the Middle East. Practice areas include Cybersecurity.

Prewen

Prewen

Prewen provide solutions to protect sensitive data across the organisation.

Bundesdruckerei

Bundesdruckerei

Bundesdruckerei specializes in secure identity technologies and services for protecting sensitive data, communications and infrastructures.

Deutsche Cyber-Sicherheitsorganisation (DCSO)

Deutsche Cyber-Sicherheitsorganisation (DCSO)

DCSO was founded in 2015 with the aim of counteracting the threats posed by globally organized cybercrime and state-controlled industrial espionage.

ForAllSecure

ForAllSecure

ForAllSecure’s mission is to make the world’s software safe by pioneering autonomous cybersecurity tools that automatically find and fix vulnerabilities in run-time executable software.

SoloKeys

SoloKeys

SoloKeys provides the first open-source FIDO2 security key: Protect your online accounts against unauthorized access by using the most secure login method.

Mainstream Technologies

Mainstream Technologies

Mainstream Technologies is an information technology services firm specializing in custom software development, managed IT services, cybersecurity services and hosting.

IN4 Group

IN4 Group

IN4 Group is a skills, innovation and start-up services provider that specialises in supporting businesses with the training, communities, networks and advice they need to scale.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Gotham Digital Science (GDS)

Gotham Digital Science (GDS)

Gotham Digital Science is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management.

SOOS

SOOS

SOOS is the easy-to-integrate software security solution for your whole team. Build, catch, and fix vulnerabilities with SOOS Software Composition Analysis.

Pangu Laboratory

Pangu Laboratory

Beijing Qi an Pangu Laboratory Technology Co., Ltd. was established on the basis of Pangu laboratory, a well-known cyber security team.

Quarkslab

Quarkslab

Quarkslab is a dedicated team of cyber-security engineers and developers. We aim at forcing the attackers, not the defender, to adapt constantly.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.

SecAI

SecAI

SecAI is an innovative threat intelligence-driven, and AI-powered vendor aiming at cyber threat detection and response.