The Do’s and Don’ts Of Security Risk Management

Uploaded on 2022-11-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Managing risk effectively is a balancing act. Leveraging data while safeguarding it requires careful consideration and the application of appropriate controls.

It’s not just a matter of choosing risk methodologies based on contractual or regulatory requirements, although these will play a part, but of selecting these based on the needs of the organisation itself, which means identifying acceptable and unacceptable risks that are aligned to the risk appetite of the business.

There are a number of ways in which risk management can be misapplied. Firstly, it should fit the organisation and this means going beyond identifying risks to having a clear understanding of the goals and priorities of the business. Why? Because this sees risk management enabling the business to meet its goals without breaking either compliance commitments or risk appetite.

Risk As A Business Tool

We also need to understand what matters to the organisation in terms of the information it needs to collect, process, store and share to help it meet these business goals and priorities. This approach then allows risk management to become integral to business decision making to the point where it becomes instinctive. Once specific risk criteria are implemented some business decisions can then rely on these repeatable “canned” mitigations allowing delegated risk decisions which increase agility in the marketplace.

Another key sticking point is how risk is communicated and acted upon. It’s vital to support those at the coalface, so those charged with the responsibility for managing information risk within the organisation must have the right skills and support to be effective. As part and parcel of this, they also need access to sufficient information from every corner of the business, with input from the right people at the right time. This includes SME’s (technical/data protection specialists/vendors etc) to ensure that an accurate picture of information risk can be formed and clearly articulated.

How that risk intelligence is shared is absolutely critical to mitigating that risk. If those responsible for the provision of resources don’t understand the level of risk involved, they can’t make timely, informed and objective risk management decisions, so the risk must be translated.

Avoid ‘risk speak’

For example, risk is often analysed using matrixes and metrics leading to a Red Amber Green (RAG) assessment or perceived risk number ie 42. Although effective when visualising or triaging risk, senior management need this information to be translated into business terms. This can be achieved by stating what the impact of a risk occurring would mean against an agreed set of parameters, such as loss of business, reputational damage, financial impact or punitive measures such as penalties.

Likelihood can be a bit of a moving feast. The impact, whether it is deemed highly unlikely or very likely, will still be realised if the event happens so the risk decisions must be cognisant of this.

Ownership of risk decisions should also be documented and reviewed at planned intervals and also where specific triggers are met. These might include a change in the direction of the business, a heightened risk environment or a re-evaluation following a security incident or other external influences.

Refining Risk

Risk management isn’t a onetime process and will require revaluation and fine-tuning. It must evolve to ensure that any systems used to collect, process or store information have appropriate risk mitigation controls applied throughout their lifespan. We have all heard of the horror stories around IT being disposed of without data sanitisation! Often this can be down to a lack of funding regarding secure disposal or reuse of old IT systems.

Finally, risk management needs to be adaptive to the climate in which it is used and to the evolution of risks or emergence of new ones. We’ve seen countless examples of this over the past few years, from businesses adapting to meet the risks posed by the Internet of Things to those posed by working remotely during the pandemic.

Risk is therefore not static but neither does it need to be restrictive. Done correctly, it can bring about continuous improvement and ultimately leads to gains or growth within the business.

David Adams is a Security Consultant at Prism Infosec

You Might Also Read: 

Four Questions To Ask After An Attack:

 

« How Long Does It Take Before An Attack Is Detected?
Is It Time To Consolidate Systems? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

K&D Insurance Brokers

K&D Insurance Brokers

K&D provide insurance for all sectors of industry and commerce including cyber risk cover.

Lynx Software Technologies

Lynx Software Technologies

Lynx provide secure software and operating systems for use in mission critical applications such as aerospace, medical, transportation and IoT.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

Cyber Command - Romania

Cyber Command - Romania

Cyber Command represents the military authority responsible for the development, protection and resilience of military IT networks and services that support the Romanian Force Structure.

ESC - Enterprise Security Center

ESC - Enterprise Security Center

ESC is a system house specializing exclusively in IT security - Security Implementation & Optimization, Operations, Managed Security Services.

Noetic Cyber

Noetic Cyber

Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, and optimize their cybersecurity posture.

MetaWeb Ventures

MetaWeb Ventures

MetaWeb Ventures is a global venture capital firm focused on pre-seed and seed investments in crypto start-ups.

Hexens

Hexens

Hexens introduces a whole new approach to cybersecurity solutions. Indisputable skills and a unique super-focused perspective on every single case are the values we create.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.

Nerds On Site

Nerds On Site

Nerds On Site provide on-site & in-home IT and technical support, managed IT services, and cyber security through our collaborative team of highly-trained IT and Security professionals.

Liberty Technology

Liberty Technology

Liberty Technology has a host of highly trained, certified experts who assist our clients with immediate remote support as well as on-site service.