This blog was written by a third party author
What is cybersecurity risk management?
Cybersecurity risk management is the practice of prioritizing cybersecurity defensive measures based on the potential adverse impact of the threats they're designed to address. Establishing a risk management approach to cybersecurity investment acknowledges that no organization can completely eliminate every system vulnerability or block every cyber-attack. Through cybersecurity risk management, an organization attends first to the flaws, the threat trends, and the attacks that matter most to their business.
Calculating cybersecurity risk
Cybersecurity risk management usually depends upon a risk analysis that calculates cybersecurity risks based on the generic risk equation that states that:
Cyber risk = Consequence of attack x Likelihood of attack
The math behind this calculation tends to be fluid and prone to subjective interpretation because each component is comprised of many variables that are often difficult to measure quantitatively.
For example, consequences of an attack can include impacts to significant business objectives, regulatory impacts, customer churn, and so on. The severity scoring of these potential consequences is also interrelated with the value of the impacted asset to the business mission, business process, or to the customer. Meanwhile, the likelihood of an attack can be influenced by a number of variables such as the attractiveness of an asset to attackers, the vulnerabilities present in the asset, and the existing controls or countermeasures around the asset.
While coming up with risk calculations is never a precise science, engaging in even the most straightforward modeling to calculate cyber risk provides a guidepost for taking a more disciplined approach to setting security strategy. Investments are made to drive down the overall cybersecurity risk exposure of an organization by focusing on improving controls or risk mitigations that reduce the likelihood of attack and/or minimize the potential business impacts of the highest risk threats.
This approach stands in contrast to making reactive investments based on 'gut' reactions to vendor marketing that fosters fear, uncertainty, and doubt (FUD) around threats that may not necessarily pose a lot of risk to the business.
Risk-based Cyber Posture Assessment
Get a quick assessment of your security posture and make a plan to get where you want to be.Learn more
Understanding cyber risk management frameworks
Cyber risk management frameworks present standardized and well-documented methodology for:
- conducting risk assessments that evaluate business priorities and identify gaps in cybersecurity controls
- performing risk analysis on existing control gaps
- prioritizing future cybersecurity investment based on risk analysis
- executing on those strategies by implementing a range of security controls and best practices
- measuring and scoring cybersecurity program maturity along the way
Some of the most common cyber risk management frameworks today include:
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) stands as one of the most popular cybersecurity risk management frameworks in the industry. NIST CSF provides an end-to-end map of the activities and outcomes involved in the five core functions of cybersecurity risk management: identify, protect, detect, respond, and recover.
The Department of Defense (DoD) Risk Management Framework (RMF) is the set of standards that DoD agencies use to assess and manage cybersecurity risks across their IT assets. RMF breaks down the development of a cyber risk management strategy into six distinct steps of categorize, select, implement, assess, authorize, and monitor.
Produced by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27001 is one of the longest running cybersecurity frameworks, providing a rigid and certifiable set of standards for systematically managing risk posed by information systems. Additionally, the organization manages the ISO 31000 standard which provides principles and guidelines for effective enterprise risk management, of which cyber risk management is a component.
The Factor Analysis of Information Risk (FAIRTM) is a cyber risk framework developed by The Open Group for the purpose of helping enterprises understand, measure, and analyze information frisk to help business leaders, cybersecurity experts, and risk professionals make well-informed decisions about their cybersecurity practices.
In addition to these, there are a number of common cybersecurity controls frameworks that specifically focus on the execution side of cyber risk management. Two of the most common are the Center for Internet Security (CIS) Controls and the Payment Card Industry Data Security Standards (PCI DSS). These cybersecurity standards and compliance frameworks focus solely on the technology and best practices for defending against threats and mitigating risks but do not necessarily dive into the process of assessing or calculating risk at the same depth as a cyber risk management framework.
How to set up a company cyber risk management plan
Organizations seeking to set up a cyber risk management plan tend to start with a risk evaluation, from which controls can be selected based on the identified risks that are of highest priority to the business. This evaluation is frequently conducted via a cybersecurity risk assessment. A risk assessment helps executives and directors make informed decisions about security by providing an analysis and summary about the following: :
Business priorities: Regulatory and business requirements that IT and cybersecurity team supports.
Architecture: The existing IT and security technology and architecture that makes up the organization's current IT environment.
Controls: Existing security controls, policies, and processes
That collection of data should then be matched up to a cybersecurity risk framework to discover gaps between existing security controls and industry best practices, as well as to score the risk level of those gaps based on enumerated business requirements.
This assessment sets the roadmap for making investments and managing cyber risk in a way that's completely aligned with the business. Once controls are implemented, organizations must also continually monitor and evaluate the environment for changes to the organization and threat landscape to tweak the roadmap appropriately.