A risk-based approach to cyber security is increasingly being mandated by regulations such as EU General Data Protection Regulation (EU GDPR) and standards such as ISO 27001. It can provide significant benefits to organisations by: reducing the risk of damaging security breaches; optimising cyber security activities; and, in the event of a breach mitigating damages through demonstration of a diligent approach. Co-founder of Acuity Risk Management, Simon Marvell, has outline 7 key requirements for demonstrating a practical risk-based approach to cyber security.
Set the right scope
Understanding and setting the right scope for cyber risk management is critical because if it’s set correctly, the following requirements will become much easier to deliver. If the scope is too detailed we get dragged into over-analysis and unfathomable detail on low-level issues which are really day to day IT or security operations activities. On the other hand, if it is too high-level then we fall into the over-simplified trap and end up with a risk-based approach which isn’t fit for purpose.
Capture and correlate relevant risk information
There are many factors that contribute to our understanding of cyber risk but these only come together to provide valuable information (on which we can make risk-informed decisions) if we can understand them in the right context. The more good information we have, the more likely we are to draw the right conclusions and make the right decisions. Figure 2 provides examples of poor / incomplete and good information on cyber security risk.
Make risk-informed decisions on all relevant risk factors
With good correlated and contextual information, we can make risk-informed judgements and decisions:
- Which risks are currently acceptable with no further action needed for now, other than monitoring?
- Which risks are currently unacceptable and require action?
- What actions will be most effective in addressing unacceptable risks, to what degree and, therefore what is the risk – based order of priority for completing these actions?
- Individual actions can, at the same time, help to address multiple risks so we again need good visibility to identify and prioritise actions across our complete risk landscape.
Report in the language of business leaders
To make decisions, business leaders need good, credible information in a language that they understand. They are not interested in technical data. They are interested in the top 10 cyber security risks, what these mean in business terms, what’s being done about them and who’s responsible. And then they want to see progress at the next update.
Business leaders understand risk registers and use these for tracking Enterprise risks so a series of risk registers showing summary data with drill-down for more detail is a good way to present cyber security risk.
Maintain evidence and history
We make better decisions when they are based on evidence rather than theory so we should capture evidence and maintain historical records to back up our decisions, for example the maturity and effectiveness of controls at the point when risks were accepted, how we assessed the risks and our reasoning behind risk acceptance. Evidence of a diligent risk-based approach with risks identified and appropriately addressed will be important in mitigating damages that could result in the event of a breach.
Since we can’t completely avoid risk there will always be a point at which we must accept risk and this will balance varying trade-offs, such as:
- business benefits versus the rights and freedoms of individuals
- less secure but great user experience versus more secure but impaired user experience
- cost versus benefit.
The ability to accept risk increases with seniority and the highest risks need to be accepted by business leaders, based on full visibility of risk information, supplemented with evidence and historical records. Those accepting risk need to accept accountability for their decisions and be prepared to respond in the event that the risk materialises and a breach occurs.
Monitor and continually improve
Risk is accepted at a point in time and we can capture evidence of the risk status at the point of acceptance, however the acceptance is out of date almost as soon as it has been made. As some of the variables relating to threats, vulnerabilities, control performance and incidents can change frequently so they need to be easily monitored and whenever necessary easily adjusted.
Being alerted of a risk which is increasing to above the level at which it was accepted, will allow actions to bring risk back within tolerance.
Also by monitoring and learning from our risk assessments compared to what happens in practice we can adjust our processes and continually improve our cyber risk management.
Feel free to arrange a meeting with Acuity Risk Management if you have any questions on the above blog or wish to discuss your risk management process.