With rapid and fundamental changes to the way organisations are operating through the COVID-19 pandemic and are likely to be working for some time to come (if not permanently) there is an urgent need for the risks associated with these changes to be managed and to therefore optimise the cost and effectiveness of a security program.

Controls are put into place based on best-practice frameworks and are often prioritised based on assumptions around where there is the most benefit. Many businesses are still relying on “hunches” about risk, often with qualitative rankings such as “high, medium, or low.” To really bring a security program to the next level, security risk management is needed. There needs to be a unique quantitative risk model based upon the organisation’s tolerance of risk, which can allow for better security initiative planning, prioritisation, and budgeting. Only with a regular dynamic view into risk can a company confidently say that it is providing the necessary level of security.

The Auditel insight says that the best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimise any security planning and budgeting. All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.

You are not alone

Most IT organisations struggle with security risk management. There is a lack of understanding of how to evaluate risk, how to communicate this to the business, and what actions need to be taken.

  • Only half of businesses have taken some kind of action to identify cybersecurity risks (NopSec 2016)
  • 60% of executives feel ill-informed about the risk posed to their business from today’s security threats (NopSec 2016)
  • 97% of companies surveyed recognise there needs to be a collaborative approach to risk management, across the organisation, with the assistance of external consultants. (NopSec 2016)

Risk assessments are not easy

Much of the analysis around risk is formed around assumptions: whether a threat is likely to occur, what the potential impact can be, how it can vary in the future, etc. There is difficulty associated with quantifying these assumptions as they often are just qualitative “hunches” or “feelings” rather than an actual value.

  • 63% of CEOs indicate that they want better risk metrics (InfoTech)
  • 46% were unsure whether their organisation have a good understanding of the IT security risks they face (Kaspersky)

According to the Allianz Risk Barometer, cyber risk is the most underestimated risk by businesses.

Businesses should combine the components into one program

Security risk governance is needed to elevate any risk management program. When it comes to governance, focus on building two simple functions in your risk management program.

Assigning Risk Responsibilities & Accountabilities will provide clear escalation protocols for how risks are managed. This is crucial, as many risk decisions have a high financial impact to the organisation or affect business operations and cannot be made by the IT team alone.

Risk Reporting & Communication, regulatory obligations often dictate the exact need for cyber risk reporting. However, beyond that, the ability to present and report on risk internally can benefit the organisation greatly. This includes the risk presentations that might go to senior management and the board of directors

The program should:

  • Establish the risk environment
  • Conduct a threat and risk assessment
  • Build a security risk register
  • Communicate the risk management program

Article by: Nigel Hughes

As seen in Issue 8 of The Bottom Line