When U.S. financial regulatory bodies released an advance notice of proposed rule-making regarding enhanced cyber risk management standards for large and interconnected entities, conversations about the need for effective cyber risk management increased as a result. For years, the information security profession has been responsible for cybersecurity and, at times, has wrestled with how risk management principles should integrate with information security principles. While well-intentioned, this integrative approach avoids the complementarian nature of these two programs that are truly one in the same.
"An organizational risk assessment is the first step to truly understanding risk"
In order to assure clarity, it is best to define our terms. Cybersecurity centers on the protection of the confidentiality, integrity and availability of information. This includes systems, hardware and networks that process, store and transmit this information. Risk management involves understanding risk and applying the appropriate controls commensurate with the mission and goals of the organization. Like security, risk management involves governance, management, consideration of internal and external risks, and incident response.
At first glance, these two concepts may understandably appear contradictory. Yet, one implies full protection with less regard for cost or mission, while the other implies knowledge, decision-making and judgment of controls appropriate for the mission. Security purists may speak of the need to protect information at any cost, where as the risk management mindset would focus on the benefit, reward and practicality of controls weighed against business objectives.
To be clear, however, there is no contradiction. The security profession has matured significantly in the last decade; in addition to cybersecurity, it now encompasses aspects of physical, personal, data, communications and network security. These disciplines are interconnected, so a weakness in one area affects the others. In response, the inclination is to ensure all parts are “bolted” down. While this premise is correct, over the last few years, we have seen the reality of cost and benefit analysis and the significant increase of security tools influence security programs. It is just not practical to have one of every security tool available. Therefore, this reality has brought about the merging of security and risk management practices to determine risk tolerance.
Many security professionals have embraced this concept, and in fact, many would argue that this risk-based approach was always a part of the profession. There is truth to that; however, this merging has brought about a need for greater discipline in documenting risk practices. Solid risk management programs provide a formal process to understand, document and determine the organization’s tolerance of, and decide on the appropriate mitigation strategy for risk.
An organizational risk assessment is the first step to truly understanding risk. A good assessment documents the company profile—its purpose, mission and objectives, industry risks and those particular to the company based on internal and external threat, and the risk tolerance of the organization. In doing so, risk should be categorized as regulatory, reputational and in terms of threat (criminal or otherwise), and these are generally industry-specific. So, a bank, for instance, would have concerns in all three of these areas, so that being secure in one does not mean being secured in all of them. Being solid in addressing their threat does not mean they are regulatory compliant, and conversely, an organization can maintain regulatory compliance but have a negative reputation with the public. All must be addressed.
Therefore, the risk assessment should define controls that may be in place to reduce or mitigate the risk. It should also document the strategy for risk management in terms of elimination, acceptance, mitigation or transference. Within security, there are places where the strategy should be one of elimination. For instance, technology is employed that detects and seeks to eliminate a threat, a simple example of which is the elimination of all malware. In other instances, there could be a strategy of risk acceptance if the risk is deemed low or if the protection cost far outweighs the penalty.
But, why go to all this trouble if you just want to secure the environment? Well, the goal of a formal risk management program is to employ a governance framework to achieve a known and consistent state, one that can be measured, discussed and continuously improved in an organized manner over time. Additionally, a formal program provides an avenue to ensure corporate governance entities such as corporate risk committees or the board of directors has sufficient awareness of risk and what the program is doing to address it. One can then align the security program to manage agreed-upon risk and help prioritize security initiatives. The program, in essence, provides a form of corporate agreement on what the security professional should be working toward. And in that sense, it is actually liberating.
In summary, the key to solid risk management is to understand your company’s objectives, risk tolerance and risk profile, and then make risk-based decisions that meet the company’s mission and objective. The most successful programs indeed combine these concepts and principles into the security program and operate as a risk management program.