Date
28.08.2024
The rise of the Internet and technology has made our lives easier, but it has also exposed new vulnerabilities that cybercriminals can exploit.
Without proper measures around information security, organizations are vulnerable to data breaches and the often significant financial consequences that come with them for your business.
So risk management is back from never gone. “Never gone away” because it is a critical component of cyber security in organizations and any cyber security strategy that stems from it.
“Back” because risk management is mentioned by name in the NIS2 directive, making it a legal requirement as well.
Now, many standards are written about risk management, books published, and courses are available, but sometimes it is not bad to start from the basics.
Whereas the intricacies of risk management are a specialization, the basics are fairly simple.
In this article, we will review the core principles of risk management in cyber security, giving you an immediate insight into the legal obligation surrounding risk management in the context of NIS2.
What is the importance of cybersecurity or cyber security?
Why should you do cyber security for your business?
Because it’s a legal relief, we hear you thinking.
That’s perfectly right, of course, but normally, a legal obligation stems from something rational. Risk management is no different. Namely, it helps/compels an organization to first identify where things can go wrong.
In other words, don’t immediately jump on the latest cybersecurity tool or the Chief Information Security Officer’s (CISO) “pet project. ” Instead, take a step back and look as objectively as possible at what risks, such as cyber-attacks, malware, phishing, ransomware, social engineering, DDoS attacks, or other vulnerabilities, the organization is exposed to in order to determine the most necessary measures.
This need not immediately devolve into an endless administrative overhead; risk management can safely be simple and pragmatic. Below we name the three essential phases for performing risk management.
#1 Identify risks
It starts with proactively identifying cybersecurity risks, or in other words, mapping what risks your organization faces and risks across your systems and data. There is no official way to do that, and the NIS2 guideline leaves you free to fill it out.
Brainstorming sessions by department? Brown paper sessions with management? Excel sheets with questions mailed around?
It’s all right, but remember that it’s best to find a way to make risks specific. While existing risk lists that can be found online can be a useful source of inspiration, focus on risks that are relevant to your organization and any weaknesses in your organization.
Not unimportant: the art of formulating risks in a “risk statement.”
Such a risk statement is one or two sentences that summarize a risk and should be written in such a way that it is clear even to laymen why this risk is a risk.
At the very least, a risk statement should be able to answer the “so what?” question: what is the impact of this risk?
For example:
- The risk of a data breach in our application. Here the answer to the “so what?” question is missing.
- The risk of a data breach in our application that could put corporate data out on the street and result in reputational and financial damage to the organization that leaves us open to claims for damages. This is where the “so what?” question is answered.
Even if the risk you want to name is the same: The second risk statement is going to do a much better job of describing why a particular risk is worth addressing.
#2 Assessing risk
You end the previous step with a list of cybersecurity risks. But which of those risks are you going to address? Doing everything at once is not an option; after all, CISOs do not live in a world of unlimited resources.
So, choices will have to be made, and assessing risks will help you determine which risks are bigger than others.
Classically, we look at two aspects of a risk for this purpose: impact and likelihood.
How big is the damage if this risk occurs, and how big is the probability of it occurring?
A risk that may have a large impact but is likely to occur only once every few years may be given a lower priority than a risk with a lower impact but which is likely to occur regularly.
Important at this stage is determining the criteria you use to assess risks and ultimately assign a certain score.
Scores come in all varieties: from the super-classic Low, Medium, and High to scales of 0-100. For both probability and impact, you are going to have to provide (for example, for the superclassical scores) objective and repeatable criteria for High Medium and Low.
In other words, what makes the impact of a risk High? How does it differ from Medium? If person X rated a risk today, they should have about the same score as person Y, who did it yesterday.
#3 Treat risks
OK, not only do we now have a list of risks, but they are now rated. We know which risks are higher and therefore which ones we should treat first where treating basically means determining what we are going to do about the risks.
There are four ways to treat risks. We name them in the order in which you prefer to treat risks.
- Risk avoidance: you do something that makes it impossible for the risk to occur again. Ideal, of course, but not always an option.
- Transfer risk: The risk remains, but we ensure someone else takes care of it. Insurance or outsourcing are two common ways to transfer risk.
- Mitigate risk: the most common way to handle risk. You take measures that affect the impact or likelihood of a risk, making the risk (much) less severe.
- Accept risk: While this is not a good standard method for dealing with risk, as a final step after taking other measures, you may well accept some “residual risk.”
Once these three stages are completed, you have laid the foundations of good risk management. Of course, implementing the risk treatments is now crucial, so we’ll end with a few concrete tips:
- Properly determine who implements the chosen treatment method, the so-called “risk owner.”
- Stick deadlines on it as specifically as possible and ensure they are followed. After all, the danger of a paper exercise that keeps on stalling is great.
- Certainly do not consider risk management a one-time exercise: it is continuous, and a somewhat more formal validation of the above phases should take place, on average, once a year.
Should you start your career as a CISO or deepen your knowledge as a CISO? You can do so with our CISO training, which consists of 7 modules in 2 days.
Date
28.08.2024
