How To Prepare for Cybersecurity Risk – Part 2

by | May 7, 2023

Risk Management

Image credit: Freepik

In part-1 we learned some terms associated with cybersecurity risks and threats. We also learned that threats and risks are inevitable – in life and business. One must anticipate and prepare for risks in advance. I also mentioned some cyber threats experienced by organizations. In this post I’d like to discuss some risk management strategies.

Image Credit: Image by Freepik

Monitoring

An event is an observable occurrence in a network or system. It could be a normal event like a routine process – or something unusual such as a large data outflow or someone accessing a database frequently. A CISO’s task is to respond to unusual events or behavior and take suitable actions to mitigate the risk.  The network monitoring task is usually done by a team of security professionals in a security operations center or SOC  – who use network monitoring tools to detect anomalies. The CISO should be on top of things and should respond with a plan or decision as soon as something unusual is detected (this is known as risk treatment).

Risk Identification

This is a recurring process for identifying different risks, classifying them, and then estimating the impact that each could  have in disrupting the organization.

But how do you decide which risks are critical and which ones are not? This is where risk prioritization comes in. A risk matrix is an effective method to prioritize the risk.

Risk Management

Risk Matrix – Image credit: (ISC)2

When plotting the identified risk on a risk matrix, take a close look at your organization and analyze what makes it unique. What is its intellectual property? And will the risk impact that? In what way?

Security professionals must know their organization’s business domain. They must be aware about the strategic, tactical and operational plans.

Risk Assessment

Is a part of risk identification. Risk assessment is the process of identifying, estimating and prioritizing risks to an organization’s operations. That includes its mission, functions, image and reputation. You can even add the organization’s customers, employees, partners, and shareholders to that list. What would be the impact of the identified risk on all these entities?

Align each identified risk to an information system with the goals, objectives, assets or processes of an organization. This in turn aligns with or directly supports the organizations goals or objectives.

These days CISOs and CIOs are expected to be business enablers. Mapping risks to business goals is one of their business enablement tasks.

Once the risk assessment is completed it is documented and presented as a report to the management, who will then take a decision for risk treatment.

Risk Treatment

Risk treatment means determining the best course of action to respond to an identified risk.  This decision is taken by the management who consider three key aspects:

  • What is the management’s attitude towards risk and availability?
  • The cost / time for risk mitigation
  • Is the effort (in terms of resources, time and costs) that goes into mitigation worth it?
Risk management

Risk Treatment – Image credit: (ISC)2

There are four paths to respond to the identified risk:

  1. Risk Avoidance
  2. Risk Acceptance
  3. Risk Mitigation
  4. Risk Transference

1. Risk Avoidance – Revisit the risk matrix. When the identified risk is placed in the second quadrant (High Probability, High Impact) the management may decide on risk avoidance. The potential impact of the risk is too high or the likelihood of the risk being realized is too great.

They may decide to shut down a website for maintenance or shut down a server that could be compromised. Of course, the key thing here is communication with all stakeholders that could be impacted by this action.

2. Risk Acceptance – When the impact or likelihood of occurrence is negligible then the management may choose to accept the risk. It’s like ignoring the risk. The benefit is more than enough to offset the risk.

In the risk matrix, this risk would be placed in the low impact quadrants.

3. Risk Mitigation – This is the most common type of risk decision taken. When the organization accepts the risk but takes actions to mitigate the impact on business operations.

Mitigation involves remediation measures and controls such as security controls, policies, procedures, standards to minimize the impact of the risk.

While risk cannot be completely eliminated, risk mitigation measures such as an incident response plan and safety procedures should always be established.

This type of risk would be placed in the high impact quadrants of the risk matrix.

4. Risk Transference – When the effort of dealing with the risk is too high and diverts resources from core business practices, one may choose to transfer the risk to a third party. This could be an insurance company or a special purpose vehicle – a company who will manage the risk in exchange for payment.

These days cyber insurance is becoming a common risk management strategy. However, the organization needs to set up a robust defense infrastructure that is fully compliant with industry frameworks and standards. The cyber insurer will need to determine that when it decides to accept the risk and set the premium amount.

Risk Management Tools

There are plenty of risk management and compliance tools to help you manage risks in a structured manner. Risk management consultants can also help you with compliance.

In closing, I advise all security professionals to get a good understanding of the business functions, goals and objectives. Identify the crown jewels to be protected and then use the risk matrix (and other risk management tools) to align the risk to the business goals and business assets.

Then take suitable risk decisions (risk treatment).


To comment on this post, write to the author at: [email protected]

Reference: (ISC)2 course material for the (ISC)2 CC course.

DIGITAL CREED is an initiative by technology journalist Brian Pereira

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The Rise of AI Agents in Business

AI agents are revolutionizing how businesses operate, innovate, and engage with customers while reshaping workforce dynamics and decision-making processes.

The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles