Why Risk Management is a critical component

Ask 10 security professionals the above question and you’ll get 12 different answers.  Each of those answers is right for some organization but what is right for you, for your organization is dependant on how much risk you are willing to carry.  The right amount of protection will balance the amount of Risk your organization is willing to carry, and that is an answer that has to come from within your organization, and from the management team, not the IT, Operations, or Security teams.

By instituting Risk Management policies you will have an evolving and comprehensive analysis of the strengths and weaknesses of your organizations security posture and where your vulnerabilities are in the current threat landscape.  With a Risk Management Program, you can instead ask “What protection do I need to protect these systems from those threats?” which will have much more consistent answers.

Creating a Risk Management Program

A Risk Management program, while influencing and ultimately implemented by Information Technology, is in fact a management policy.  As a policy it is prudent to define the program in terms of objectives, strategy, and objectives and refrain from requiring specific technologies, methodologies or implementations.  By divesting objective from implementation you will create a much more flexible program that is able to quickly adapt to emerging technologies and threats.  After all, it will almost always be faster to roll out a new technology than change a business policy AND roll out a new technology.

Executive Summary

The Executive Summary exists so that readers can, at a glance, determine if and why the policies applies in a given situation.  It should be concise and cover three main points.  Why the program is required, what organizational units are subject to the program, and what the desired outcomes from a successful program should be.  These three points are generally referred to as the Purpose, Scope and Key Goals.

• Purpose: Define the purpose of the cybersecurity risk management program, including its importance in protecting the organization’s assets, reputation, and operational integrity.
• Scope: Outline the scope of the program (e.g., all internal networks, applications, cloud infrastructure, employee endpoints).
• Key Goals: Ensure business continuity, protect sensitive data, manage compliance requirements, and mitigate risks from both internal and external threats.

Governance and Leadership

As previously stated the Risk Management Program is foremost a matter of policy over implementation, as such a successful Risk Management Program needs to be driven by leadership.  The Policy should outline specific roles and responsibilities for: the creation and maintenance of the policies, implementation, and periodic review of the program.  At this level specific procedures should be referred at a high level and as external documents to maintain the separation between policy and implementation and, just like with specific technology, to preserve as much flexibility for updating and improving procedures.

• Cybersecurity Leadership: Establish roles such as Chief Information Security Officer (CISO) or cybersecurity director to lead the risk management initiative.
• Risk Management Committee: Set up a cross-departmental team (IT, legal, operations, and risk) to oversee the implementation of the cybersecurity strategy.
• Policies and Procedures: Develop cybersecurity policies, including incident response plans, data protection protocols, and user access control.

Risk Assessment and Threat Identification

After defining “Why” and “Who” the next section of the Risk Management Policy should define “What” is to be protected from “Which” threats.  These questions are sometimes referred to as an Asset and Threat inventories.  Your asset inventory can include hardware, software, processes even personnel that is critical to the successful operation of the organization.  As above the specifics of this list should exist in separate documents, the policy should define the purpose for,  scope of,  and required information within each of these inventories.

• Asset Identification: Create an inventory of critical assets (data, systems, applications, and infrastructure).
• Threat Landscape: Identify common cybersecurity threats, such as:
  • DDoS Attacks: Distributed Denial-of-Service, which targets network availability.
  • Malware: Viruses, ransomware, Trojans, and spyware.
  • Phishing and Social Engineering: Attempts to trick employees into disclosing sensitive information.
  • Insider Threats: Risks from employees or contractors who intentionally or unintentionally expose data.
  • Advanced Persistent Threats (APTs): Prolonged, targeted attacks aimed at stealing intellectual property or other high-value data.
  • Data Breaches: Unauthorized access to personal or sensitive data.
  • Vulnerabilities in Software/Hardware: Known vulnerabilities in applications, operating systems, or IoT devices.
• Threat Modelling: Use tools like the MITRE ATT&CK framework to categorize and model various attack techniques.

Risk Analysis and Evaluation

With the asset and threat inventories defined above you will need to conduct periodic Risk analysis.  This is not a one-time task, and the execution of the Risk analysis will be result in documents external to the Risk management Policy.  Within the Policy you should clearly articulate the frequency of these analyses as well as a consistent analysis framework.

• Likelihood and Impact Assessment:
  • Likelihood: Assess the probability of different threats occurring (low, medium, high).
  • Impact: Evaluate the potential impact on the organization (financial loss, reputational damage, operational disruption).
• Risk Matrix: Create a risk matrix that categorizes threats based on likelihood and impact, helping prioritize which risks require more immediate attention.

Furthermore you will want to establish procedures for periodic proactive assessment of your security posture for continuous improvement, and to discover potential vulnerabilities before they are exploited.

• Vulnerability Assessment: Conduct regular vulnerability scanning and penetration testing to identify gaps in defenses.

Risk Mitigation Strategies

Which specific Threats need mitigation strategies is likely going to be a natural byproduct of both the above risk analysis and any applicable regulatory requirements (PCI-DSS, GDPR etc) at a minimum you will probably want to include a requirement for the organization to maintain up-to-date strategies for the following:

• DDoS Protection:
  • Implement traffic filtering and rate-limiting to block malicious traffic.
  • Use a Content Delivery Network (CDN) or acloud-based DDoS protection.
  • Set up an incident response plan specifically for DDoS attacks, including communication protocols and escalation procedures.
• Endpoint Security:
  • Deploy endpoint protection platforms (EPP) to safeguard devices from malware and viruses.
  • Regular patching and updates to fix known software vulnerabilities.
• Network Security:
  • Use firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
  • Implement secure virtual private networks (VPNs) for remote access.
  • Segregate sensitive systems using network segmentation to limit the impact of attacks.
• Email Security:
  • Implement spam filters, email authentication (DMARC, SPF, DKIM), and educate employees on phishing risks.
  • Use multi-factor authentication (MFA) for email and critical applications.
• Access Management:
  • Use role-based access control (RBAC) to limit data access to authorized personnel.
  • Regularly review access rights and remove inactive users promptly.
  • Enforce MFA for critical systems and data.

Incident Response and Recovery

Moreso than any other document that results from the Risk Management Program, an Incident Response Plan (IRP) should be continuously updated.  In addition to the periodic review and update there should be a Post Mortem after each incident where the IRP is updated with lessons learned.  The IRP is not a single document; therere should be a general IRP, as well as a specific IRP for each threat that scored high in the risk assessment.  There should also be a requirement to create an IRP for any new threats as part of the Incident Post Mortem.

• Incident Response Plan:
  • Develop a detailed incident response plan (IRP) with clear roles and responsibilities.
  • Define specific procedures for handling different types of attacks, including DDoS, data breaches, and malware infections.
  • Establish a communication protocol for notifying stakeholders, employees, and customers.
• Business Continuity and Disaster Recovery (BC/DR):
  • Ensure that backup systems are in place and regularly tested to recover from DDoS attacks, ransomware, or data breaches.
  • Develop and test business continuity plans for operational resilience during cyber incidents.
• Lessons Learned: After any security incident, conduct a post-incident review to identify areas for improvement.

Monitoring and Detection

Effective IT Security is not a set-it-and-forget-it proposition.  The threat landscape is continuously evolving and continuous monitoring and early detection are key components to maintaining a strong security posture.  The Risk Management Policy should outline the purpose for, minimum requirement of, and expected results of your organizations monitoring and detection efforts.  Typically this will include:

• Security Information and Event Management (SIEM):
  • Implement a SIEM solution for continuous monitoring, correlation, and analysis of security events across the network.
• Threat Hunting:
  • Regularly conduct proactive threat hunting to identify potential threats before they escalate.
• Security Audits:
  • Schedule regular internal and external audits to assess the effectiveness of cybersecurity measures.
• DDoS Detection:
  • Implement real-time monitoring tools for identifying DDoS attack patterns, such as unusual traffic spikes or malformed packets.
• Performance Metrics: Define key performance indicators (KPIs) for the cybersecurity program, such as response and recovery times.

When defining key performance metrics try to focus on metrics within your control, and that promote the positive improvement you want to see.  For example: while “Number of Attacks” is a tempting metric, it is both outside of your control (therefore not a measure of anything you are doing) and encourages under reporting incidents.

Training and Awareness

Employee Training is a critical aspect of any security policy, and this is never more true than at leadership positions.  Consequently the requirement for Training and Security Awareness at all levels of the organization (not just within IT) is a critical component of the Risk Management Program.

• Employee Training:
  • Conduct regular training on recognizing phishing emails, safe internet practices, and social engineering tactics.
  • Run simulated DDoS and cyberattack drills to familiarize employees with response protocols.
• Security Awareness Program: Develop a continuous program to keep employees informed about new threats and best practices.
• Executive and Board-Level Awareness: Ensure that leadership understands the cyber risk landscape and is involved in high-level decision-making.

Compliance and Legal Considerations

While specific regulatory compliances are usually mentioned in the Executive summary they need to be a constant consideration for each subsequent section, and each subsequent document that comprises the Risk Management Policy.  Furthermore an key, and often overlooked, aspect of this is maintaining a program to evaluate and mitigate any risks associated with using third party service, and ensuring that any third party processors remain compliant.

• Regulatory Requirements: Ensure that the cybersecurity program complies with relevant regulations (GDPR, HIPAA, CCPA, PCI-DSS).
• Data Privacy: Develop data protection policies in line with privacy regulations and ensure that sensitive information is adequately secured.
• Third-Party Risk Management: Assess the cybersecurity posture of third-party vendors and ensure contractual obligations around data security are in place.

The right amount of protection

While it is no small undertaking, a robust Risk Management Program will produce results that far exceed the efforts it takes to implement and maintain.

• You will be able to react to and recover from threats faster.
• You will be able to reduce both risk and security costs by focusing security efforts where they are most needed.
• And you will have ongoing assurance that your security efforts are producing real and measurable results.

Share this post