At a high level, cybersecurity risk management is not unlike deciding what to wear and what to do. In the Pacific Northwest, where I call home, residents check the daily weather report for an estimate of both the chance and intensity of rainfall. The term atmospheric river makes a frequent appearance. Weather forecasts indicate probability and effect by rating this rain deluge anywhere from primarily beneficial to primarily hazardous.
Weather Reports and Cyber Controls
Weather reports inform behavior and fashion choices similar to compensating controls. For example, if it’s an August day with a high of 60 degrees and a 90% chance of light rain throughout the day, it’s probably a good day for a walk on one of our rocky beaches with sandals and without a jacket. If it’s instead a fall day at 40 degrees with a 50% chance of heavy rain, some will debate wearing a jacket, though almost no one will take an umbrella. And if there’s a 90% chance of a category 3 (balance of beneficial and hazardous rated) atmospheric river in the winter, area skiers and snowboarders will head to their local mountain and wear Gore-Tex. Everyone else will likely stay indoors, except those with dogs to walk. Like risk management, none of these choices reduce the probability of rain to zero or prevent fleece jackets from absorbing rainwater. Instead, they help manage the impact if it does pour.
Informed Decision Making
Cybersecurity risk management exists to help businesses make informed decisions when allocating their limited resources. Although there are several ways of measuring risks and several more risk frameworks, there is no “right” way to conduct risk management other than consistency. Provided that a business documents, discusses, and acts on risk data, the supporting technologies and formulas are not particularly relevant to business leaders or board members.
Phase 1: Document Risks in One Place
Start your cybersecurity risk management program by documenting risks in a single location. Like watching a forecast for a downpour, the act of writing down risks might feel uncomfortable. It translates theoretical cloudy skies to the concrete possibility of an afternoon shower. Successful organizations provide templates and training for how to document risks, including how to describe it and who can help.
Help your organization speak one risk language. Outline threat attributes, including frequency, impact, probability, threats, vulnerabilities, and a host of other factors. Everyone from the frontline to the boardroom should agree to a developed and consistent process for risk management. For example, an employee and a C-level executive may have views on risk cost as different as an Arizona resident’s concern about rainfall compared to someone from Oregon. The entry-level employee may see a $10,000 risk as insurmountable while a C-level executive might not think the cost is noteworthy. Communicate and address these differences as part of the risk documentation process.
Phase 2: Discuss Documented Cyber Risks
Regularly discuss the documented cybersecurity risks. To balance multiple risks, create prioritization exercises all participants agree to follow. Regularly schedule blame-free discussion of each risk’s attributes so the business can decide what to do. Corporate decision-makers may choose to accept, mitigate, transfer, or ignore the risk, although choosing to ignore a risk is often treated the same as accepting if there is lawsuit following a breach. To mitigate a risk, the business can select the appropriate people, process, and technologies and should re-visit the situation to determine effectiveness. Transferring risks to cyber insurance is an alternate approach, but recent coverage reductions and pricing changes in the cyber insurance markets might increase consideration of risk mitigation as a less expensive and more reliable approach.
Phase 3: Take Action
Take the agreed-upon, documented actions stemming from the risk conversations. Plan time to make simple and procedural adjustments to reduce risks. Some adjustments might entail the monthly review of a front-desk guest register while others might require process, training, and technology solutions.
Ascent recommends businesses prioritize risk mitigation by weighing the effort it takes to respond to a security breach, often verified by an independent team. This extra step effectively closes the risk loop. It might not be reduced to a probability of zero, but the internal team charged with discussing risks will only need to revisit the response process if something material changes.