We live in a world of “what ifs.” When it comes to data protection, the “what ifs” of security control effectiveness can change in a split second. One malicious actor finding a new zero-day exploit, or previously unknown vulnerability, can lead to a domino effect data breach up and down your IT supply chain.
Risk Management Planning
What is the Risk Management Process?
Risk management is the process of moving from risk identification to risk analysis to establishing risk mitigation steps.
Whew, that’s a lot of “risk” there. At its core, the risk management process requires you to make a lot of lists. The risk assessment process starts by taking a holistic view of where you store, transmit, and share information. Then, you look at potential risks to the integrity, accessibility, and confidentiality of that data.
Once you’ve created a list of all the places that someone could access data, you need to make a second list that ranks the importance of that information and incorporates a review of the probability the data could be compromised.
Finally, you need to use the second list to create a third list that explains whether you’re planning to accept, transfer, mitigate, or refuse the risk. However, you also need to document your reasoning to support those decisions and what steps you take to follow through on the decision.
That’s a lot of lists.
How to Analyze Potential Impact of a Risk Event
Within an information security context, several categories of risk event exist. Using information about the most likely events and statistics supporting data breach costs can help you forsee risks and estimate impacts.
Vendor Data Breach
A vendor data breach risk can be devastating. The Ponemon Institute reported that in 2017, 56% of reported data breaches arose from third-party vendors. The same report indicated that the average payout for a data breach was $7,350,000 including fines, remediations, and customer loss.
Malicious Attacks
The Verizon Data Breach Insights Report for 2018 noted that 73% of cyber attacks arose from organized criminal groups, nation-state or nation-state affiliated malicious actors. 2,216 of the 53,308 security incidents consisted of data breaches. 21,409 incidents arose out of denial of service (hacking) attacks.
Insider Issues
The Verizon report also provided information about the impact of internally caused risk events. End-users and system administrators accounted for a startling number of internal breach activities. Out of 277 total insider issues, these two categories accounted for a total of 134 security incidents. Meanwhile, social engineering accounted for 1,450 incidents and 381 confirmed data disclosures.
Why You Need a Risk Assessment Matrix
Qualitative risk reviews give you a guesstimate. Quantitative risk reviews let you define responses appropriate to not only the likelihood of an event’s occurrence but also the impact it might have. An event might not be very likely, but its impact may overwhelm your financial stability as a business. Therefore, the math doesn’t work out smoothly.
However, if you create a risk assessment matrix, you review data security risks across a spectrum allowing you to focus on essential and impactful risks first and then move through the risk spectrum to address other potential events accordingly.
How to Apply a Project Management Approach to a Cybersecurity Risk Management Plan
Taking a security-first approach to cybersecurity works similarly to managing a project. You need to start by detailing the risks and creating tasks that allow you to develop, test, and operate your data protections.
Using a Work Breakdown Structure (WBS) gives an excellent example of how to create a cybersecurity risk management plan using a project management approach.
A project manager needs to bring internal and external stakeholders together meaningfully so that everyone understands their responsibilities to meet project goals. Similarly, a chief information officer (CISO) needs to bring together the c-suite and department managers responsible for the different tasks inherent in vendor management and cybersecurity monitoring.
A WBS organizes internal stakeholder responsibilities by providing information about tasks and subtasks. Similarly, within information security compliance, you need to review standards and regulations for their part and subparts.
Using Project Management to Create Cybersecurity Risk Mitigation Strategies
Imagine your CISO is a project manager. Your IT department acts as his team members. Whether you’re bringing on a new Software-as-a-Service vendor or looking to become compliant with a new standard or regulation to scale your business, the risk mitigation steps remain the same.
In project management, you name your project. In cybersecurity, you decide what standard or regulation to which you want to align your controls.
In project management, you look at a variety of phases such as acquisition, engineering, testing, and manufacturing. In cybersecurity, you review risks, establish controls, continuously monitor threats, and remediate security events.
In project management, you prepare documentation and create a contingency plan for potential problems. In cybersecurity, you establish policies and procedures for controls and create business continuity and disaster recovery plans.
Agile software and hardware development requires a continuous approach to reviewing the product throughout its life cycle. Similarly, cybersecurity risk management needs you to continuously monitor the threats to your data environment to ensure your controls remain effective.
How ZenGRC Enables A Project Management Approach To Cybersecurity Risk Management
Just like project managers need to communicate with their teams, your CISO needs a way to enable communication with internal and external stakeholders. Traditional tools like shared calendars for task assignment and emails for discussions take the time that could be better spent monitoring your cybersecurity.
Maintaining an effective information security program requires an efficient workflow tool to coordinate communication and task management across internal stakeholders.
ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.