The following is part of a series providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.
This blog summarizes chapter 7: “Effective cyber risk management: An integrated approach”, by former CIO of the United States Department of Energy, Robert F. Brese. Please refer to the original article for any direct quotations.
Even though ‘getting hacked’ may seem inevitable, by taking an integrated approach to risk management, cybersecurity risk can be effectively managed. The risk process must be ongoing and iterative, and not a one-time, infrequent, or ‘check the-box’ activity. Not only must the right stakeholders be engaged at the right levels within an organization, but the right automated tools and processes must also be in place to support risk decision-making and monitoring.
It’s important to note that accountability does not lie with just one person (e.g. the chief information officer (CIO) or chief information security officer (CISO)); only an integrated approach to risk management will ensure that a company’s cybersecurity risk is managed effectively.”
Find the balance
Effective risk management finds the balance between the needs of the business and the needs of security. In finding this balance, the company will be able to compete successfully in its market while protecting the critical information and assets on which it relies.
Accept residual risk
One thing is certain: Not all cybersecurity risk can be eliminated through controls or transferred through insurance, so residual risk must accepted. Making good decisions requires an integrated, formal approach.
The cybersecurity risk management process
To undertake effective cyber risk management, it is recommended that you take the following approach:
- Risk framing and assessment
Establishing the engagement between IT and the line of business owners is crucial to preserving the confidentiality, integrity, and availability of data. Once IT understands the business owners risk threshold, the CIO and CISO can begin planning, implementing, and assessing the appropriate security controls.
- Controls assessment
Controls include all of the tools, tactics, and processes a company has to avoid, mitigate, share, transfer, or accept risk. This means that corporate structure, training and awareness programs, physical security, and other options should be considered in addition to traditional IT controls.
- Risk decision making
Decisions are made regarding what will be done and what will not be done in response to each risk. A balance must be struck between protecting systems and information and the need to effectively run the business that relies on them.
- Residual risk sign-off
The business decides how each risk should be treated, recognising the residual risk and when to close the decision-making process. This process should be formal and documented so that the business can refer to it at any time.
- Risk monitoring
Risk monitoring is an ongoing process and should be documented in a risk register, which will provide reference for auditors at a later stage. Because most companies have a large number of systems, each with their own risk register, an automated system is typically used to aid monitoring and review.
Accountability ensures a formal risk management process is followed and that effective decision-making is occurring –one single person will not be made accountable for a risk, but multiple people in various steps.
Long-term effectiveness in cybersecurity risk management requires all employees to meet their security responsibilities to the organization for which they work. From non-technical staff encouraged to ‘see something, say something’ (and feel empowered/rewarded doing so), to top-level management being involved in all major steps of the risk assessment process.
- Deliver the entire framework for conducting an ISO 27001 risk assessment
- Make storing and tracking data much easier and faster
- Deliver reliability and consistency that spreadsheets can’t