Every business activity involves risk, so simply viewing and measuring risk at a high level isn’t enough. InfoSec teams also need to identify and categorize risks as they relate to individual business activities and the context around them.
Managing risk is all about delivering insights so that key stakeholders – including executives and the board – can better understand their IT risk posture and use that knowledge to make better business decisions.
But where to start?
Build a Better Risk Program
Traditionally, you would begin identifying risks through research, published risk registers, etc., and then you would spend enormous time and effort deciding which of the risks are relevant to your business and how much of a priority they are or aren’t.
We suggest a better way: start with your controls to build a better risk program. Controls and risks are two sides of the same coin. Controls are just risks written from an opposite perspective. By flipping around the language of the controls, you can begin to uncover the underlying and related risks the controls are reducing. The result of this exercise will be a risk registry that you can further refine, categorize by business objective, and then prioritize risks to bring them within acceptable limits.
Consider this example: your organization’s existing security policy requires employees to create an eight-character password that contains upper and lower case letters, numbers, and symbols. Now ask yourself the question: what is the risk behind this control? The answer: unauthorized access to accounts, systems, and data. Complex passwords prevent the risk from occurring and protect against threats such as a brute-force attack to unlock a password and gain entry to your organization’s systems.
Meeting basic compliance requirements for password length and complexity (e.g., eight characters) doesn’t necessarily mean that it is sufficient. By identifying the underlying risk up front, you can better understand how well this control addresses risks and threats and what actions should come next to lower the risk to an acceptable level, e.g., extend the password length to 16 characters, limit login attempts, etc. Adopting this risk-first approach produces better outcomes (i.e., lower risks) than simply implementing controls in response to compliance requirements.
Take a Strategic Approach
Looking at risk from a holistic perspective is too broad and not really actionable. Different aspects of the organization may require different risk registries, scoring methods, or both. Your organization needs to understand exactly what is impacting its compliance and risk posture. This means you need to identify, assess, and monitor risk at a more granular level – such as by business priority or objective.
In addition, the relationships among requirements, controls, risks, and threats are critical. If something happens in one area that impacts another (e.g., a control failure increases the residual risk of the related business process), you need to be aware of the changes so you can take appropriate actions.
InfoSec teams should monitor risks and controls on a continuous basis, and exchange information among IT security, IT risk, IT compliance, and business owners. InfoSec leaders should focus more on risk implications within the business-driven context when making strategic decisions on information security and compliance.
Unfortunately, information silos between risk, and compliance ‘owners’ can make it difficult, as these teams traditionally operate separately, using applications designed around compliance frameworks or risk registers – not both.
Unify Compliance and Risk
At Reciprocity, we’re taking a different approach, providing a unified view of both compliance and risk in business context to help guide decision making and make it easier to build a better, more secure risk management program.
The Reciprocity ZenRisk integrated cybersecurity risk management solution provides the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. These contextual insights allow you to prioritize investments and make informed business decisions while optimizing security.
Based on the Reciprocity ROAR platform, the application provides actionable insights in the context of business priorities to help organizations effectively avoid and mitigate IT and cyber risk. With expert-provided content, predefined scoring methodologies and mapped controls, risk and threats, along with continuous scoring of residual risk, you can stay ahead of threats and prioritize activities to drive business results while optimizing security.
To learn more, check out this short video.