Risk management is the practice of balancing an organization’s business mission with the inherent risks and threats that could negatively impact the organization to ensure that adequate risk treatment methods are in place. To guarantee that this occurs in a structured manner, organizations typically have a risk manager (formal or informal) that is responsible for developing, implementing and maintaining an organization’s risk management strategy and program. An area of growing concern is cyber security related threats, which can impact an organization in a matter of seconds and cause millions of dollars in damages and fines. Officers and directors are increasingly concerned about their organization’s cyber security preparedness if they experience a security incident or data breach. Risk managers have traditionally dealt with risks that fall into one of four categories (political, operational, environmental and technical). Cyber related threats and their likely impacts span these categories which creates a complex environment for risk managers. A compounding factor is that most security incidents and data breaches involve information technology infrastructure that is outside the typical knowledge base of risk managers. Despite this, risk managers are expected to be able to identify, analyze, and evaluate all risks, including cyber related threats. It could be argued that cyber threats pose the greatest risk to an organization due to the speed with which they can happen and the potential scope of a breach. Cyber security threats must be part of every organization’s risk management process.
Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats. We recommend beginning the cyber threat analysis by first identifying the organization’s assets, classifying them and documenting the ownership. The risk analysis must include external and internal threats and look at them through the lens of the business’ mission and purpose. This activity is critical to effectively and efficiently deploy resources and ensure that the risk manager focuses on protecting the most critical assets based upon their value to the organization.
There are hundreds (possibly thousands) of cyber threats that exist in today’s highly connected global economy but that does not mean all of them are applicable to every organization. An example of a major threat today is a distributed denial of service (DDoS) attack. This type of attack is used to make a website unavailable by sending so much internet traffic that it crashes the site. If your organization derives a significant portion of its revenue from e-commerce sales this could be a catastrophic threat. If your organization does not use e-commerce, then this is less of a threat and should probably be a lower priority. Today’s threat landscape is more dynamic than ever before, which forces risk managers to regularly revalidate their organization’s unique threats and risks. New risks are constantly arising from new threats, expanding regulations, attack vectors, and vulnerabilities.
Once the risk manager has identified the organization’s critical assets and relevant threats the next step is to understand the vulnerabilities that could be exploited. The vulnerability analysis must include not only technical ones but also policy and organizational related vulnerabilities. The relevant threats and the specific vulnerabilities create the risks that need to be treated. The diagram below depicts the factors that can contribute to an organization’s unique cyber risks.
These risks should be treated through traditional treatment methods which include acceptance, sharing (transfer), avoiding, or mitigating. It is important when determining the appropriate treatment method that the risk manager include leaders from a range of functional areas to include human resources, information technology, accounting, facilities, legal and vendor management. Once the treatment method is determined, a security risk management program should be developed that encompasses all the remediation activities necessary to minimize the impact and likelihood of the risks. A risk scorecard should be created to track and report progress on implementing the security program and it can also be used to communicate with the organization’s senior leadership.
If you would like to learn more about how you can develop your organization’s cyber security risk management program, please CONTACT US.