Development of the risk management program 101

Eliminating and identifying risks is one of those concentrations within cybersecurity that tend to create some anxiety among cybersecurity professionals. Identifying risks (through risk assessments or other means), risk scoring, risk monitoring and remediation for many organizations can seem like an overwhelming task. Many organizations don’t even know where to start, let alone how to operationalize and communicate cybersecurity risks holistically. A successful risk management program requires a solid foundation with these three pillars: cohesive strategy, framework mapping and adoption, and ownership and accountability. Once these three pillars are in place, it comes down to execution and project management skills. Once these pillars are built, you can continue to build more complex structures in addition to your strong risk management program. Remember, Rome was not built in a day.


Strategy is the first step and is often the most difficult, especially if your organization is new to cyber risk management. It should be short, use words in everyday language, and be easily understood by everyone. Ideally, the strategy should be driven from the board down, but this is not always the case, and depending on the maturity of your programs. Your security and risk management strategy should be guided by organizational goals and the threats that are of greatest concern to your board and management. Once this is done, you can identify the controls and implementations you need to focus on given the threats and goals of your organization. From there, you need to define the KPIs and measures of success. This is not a set of project plans, but a 10,000 foot view of how and when you intend to achieve goals. Ultimately, your organization will always have risk, but a baseline needs to be established to determine what you should focus on in your risk management and remediation program. Without this element of strategy, it becomes increasingly difficult to drive remedial behavior, and also to help prioritize remediation efforts.

Mapping and adoption of the framework

The multitude of extremely comprehensive cybersecurity frameworks can be overwhelming, including NIST CSF, NIST 800 series, ISO, CIS, FAIR, OWASP, HITRUST and many more. It is important not to be overwhelmed by controls and frameworks, but to find one or more that meet your organizational strategies and goals. Why not run a strict NIST “shop” or a program based solely on CIS? Risk management at its core is sales work. You need to sell your organization’s leadership in investing in technologies, people, processes, and programs to avert a disaster that strength happen – this job is further complicated by the inability to prove that a specific control implementation prevented a security breach or event.

Each frame has its own advantages and disadvantages. CIS Top 20 is an excellent framework to help prioritize remediation and is very accessible to a wide audience. You can use CIS to create a very useful visual for executives and sell the risk remediation projects that need to be addressed first. The NIST 800-53, 800-30 and NIST 800-37 are excellent framework tools for operationalizing the “how” within your risk and cybersecurity teams. NIST CSF is a great framework for establishing the basic and ongoing maturity of your safety program and the overall safety health of your organization; it can also help explain the timeline of a security event, which is useful for some executives. FAIR is a fantastic tool to help quantify risk better and assign tangible amounts to risk, instead of the sometimes nebulous impact x probability scale.

It’s easy to get drawn into a setting and choose the one that best suits all needs; but remember that your goal is to create a culture of security and privacy, not just to implement the latest and greatest technology or an updated framework. A great strategy to employ is to assess what matters to your organization. Is your organization regulated by HIPAA? Do you have PCI to take into account? Map your regulatory requirements, choose your executives on what applies to your regulatory requirements, and also what you think is most easily understood for your organization and your leaders. Start small and grow as you continue to mature and identify gaps or needs within your risk management program.


Your risk management program will fail if the risks you identify have no one to own them and therefore no one to be held accountable for their resolution or mitigation. We hear so often “Safety is everyone’s business” and this could not ring truer than with the implementation of a risk management program.

If you cannot determine who in your organization should own a particular risk that has been identified, all subsequent efforts languish and die. Once you’ve identified a risk to track in your risk register, the critical first step is to establish and document ownership. Once you establish your risk owner, liability, tracking, and remediation can continue. Ownership and accountability can be tricky depending on the culture of your organization. Responsibility can sometimes seem negative. What you don’t want is people avoiding your team or your program because you are seen as the mole that gets everyone in trouble. Make sure the other teams are there to help move the organization forward and together avoid disaster. Be the team that other teams feel they can count on and help them navigate IT. It forms a beneficial relationship for everyone involved.

Project management

Now that you have built the three pillars, it is time to work with your teams to build the project plans around the implementation of the program and this can be done in phases over a long period of time, depending on the investment. Ultimately, an effective risk management program that leads to remediation in an organization comes down to project management. How you choose to operationalize this piece really boils down to status checks with risk owners, creating dashboards or reports, and effective communication with leaders and risk owners. Your risk management program team will become liaison officers and shepherds of remediation, not only ensuring that risk owners are held accountable, but also acting as subject matter experts and in some cases. , helping them navigate the organization to accomplish remediation. Much like establishing ownership, if a steady reporting cadence is not established, most, if not all, remediation efforts will drag on and you will not meet the goals stated in your strategy.

It’s also important to mention that so far we haven’t specifically called for the use of governance, risk management and compliance (GRC) technology. While implementing your risk management program benefits from a GRC tool, if you use the basics outlined above, you can absolutely have a successful risk management program without any GRC tools. In many cases, it is advisable to develop your program first and then go for the selection of tools, so that you know what to expect from this tool, which can save valuable funding that you may have. need for other checks.

Risk management is a critical activity in driving the security posture of your organization. Developing programs can seem daunting, but it’s important to remember that risk management is iterative and will continue to evolve as your organization matures. Start with a strategy, then establish a framework, apply ownership and add project management, and you have the recipe for a successful risk management program.

Source link

Previous UPDATE 1-Seadrill Partners seeks bankruptcy protection
Next CIC awards $ 50,000 NetVUE Program Development Grant to Bloomfield College

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *