Request Demo

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to support the new paradigm of information security as a business function.

Risk management is fundamental to a cybersecurity program. Coupled with necessary compliance activities to support ongoing business operations, risk management centers upon identifying and working to remediate the risks associated with a given organization. Where compliance is the baseline that businesses in a specific industry or location must adhere to, risk management is where businesses must differentiate and determines where the risks specific to an organization lie. As more enterprises embrace digital technology, the relative importance of risk over compliance has grown; with the growing variety of technologies that organizations are adopting, baseline compliance is necessary, but still only a basic step to ensuring that the organization is secure.

The Importance of Risk Assessments

Almost all risk management frameworks require the consistent use of risk assessments. Whether NIST 800-30, FAIR, or even a three-by-three matrix - risk assessments are the foundation on which all risk management is built.

Choosing a risk assessment methodology comes down to what makes the most sense for your organization. My recommendation is to start general and then tailor based on your findings. Once your organization has a baseline, determining the best framework or combination of frameworks will become clearer. Remember, a risk assessment methodology should bring your organization closer to understanding the risks that are specific to strategic or business goals. It is far too easy to get lost in a methodology. As a math professor once said to me, “Don’t mistake the model for reality.” The point is to leverage a model or methodology to get a deeper understanding of reality. Resource decisions and risk appetite are much easier to handle if metrics are defensible and easy to understand.

Risk Management Frameworks

The primary mode of risk management in the context of integrated GRC activities is a risk management framework. Starting with risk assessments and then moving into how certain risks are addressed and what risk remediation activities are prioritized often starts with a framework. In most cases, an integrated GRC framework will use risk management as the foundation. In the case of the CyberStrong, and other integrated risk management platform and integrated GRC solutions, risk is baked directly into the assessment process. Assessing risk and compliance in tandem sheds light on both your organization's compliance stance while simultaneously illuminating risk remediation priorities.

Translating Cyber Risk to Stakeholders

Arguably, the most important aspect of risk management is leveraging information to improve the resiliency of the organization. For many business-side leaders, cyber risk is unknown. Yet, in today’s digital world, CEOs and Boards must have the ability to integrate cyber risk into the overall enterprise risk profile. This is where risk quantification becomes critical.

This is driving security leaders to examine various risk quantification methodologies. The goal is to match the proper methodology to specific business and reporting requirements, and to provide the most value. The optimal risk quantification method will ideally be based upon how senior management is used to seeing risk - business, operational, strategic - to help them roll cyber risk into that mix.

Risk Data Visualization

Finally, using an integrated view of risk helps both the remediation and communication to business leaders. Using the right mix of risk quantification breakdowns (threat type and business impact in the case of CyberStrong) helps contextualize technical risk metrics in a way that can both help technical leaders prioritize remediation activities, while also conveying the risk profile to non-technical stakeholders in a credible manner.

The Foundation To a Forward-Looking Cyber Program

While traditional GRC practices are guided by checkbox compliance activities, integrating governance risk and compliance activities requires doing these activities in tandem. Given that organizations are unique and adopting myriad new technologies, customizing a risk management program to the enterprise--rather than to general compliance standards--is critical. Structuring goals around a deeper understanding of enterprise risk enables an organization to both prioritize specific risks and threats to the business, as well as convey that information to management in an actionable, credible manner. Integrating risk management and GRC begins with a paradigmatic shift in thinking, but doing so can yield substantial value to the security posture of the organization.

You may also like

Risk Register Examples for ...
on July 29, 2020

Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly ...

3 Templates for a Comprehensive ...
on July 27, 2020

What is a Cyber Risk Assessment Information security risk assessments are increasingly replacing checkbox compliance as the foundation for an effective cybersecurity program. As ...

Infographic: The Six Steps of the ...
on July 24, 2020

As many organizations begin to mature their cybersecurity program, they are shifting to a risk-based approach to security. In most cases, security leaders are no strangers to ...

3 Cybersecurity Risk Areas to ...
on July 20, 2020

2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity ...

Alison Furneaux
Efficient Demotivation: How Black ...
on July 16, 2020

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in ...

Developing Your Risk Management ...
on July 14, 2020

The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the ...