If you are responsible for corporate information security risk management, we both know your job is tough. Businesses keep generating large volumes of data, IT systems are increasingly complex, and cyber threats continue to evolve. What you have to deal with may sometimes look like an endless number of challenges, and your budget and resources might seem fare too limited to tackle all them. As an information security leader, you are expected to:
- Take a systematic approach to IT security
- Determine which risks have most impact on your organization and protect the assets that matter most
- Proactively mitigate risks and minimize damage from cyber attacks and data breaches
- Ensure your organization can recover from security incidents faster and more easily
- Justify investments in IT security to the board of directors
Having a comprehensive information security risk management (ISRM) strategy will help you overcome these challenges. Moreover, it will enable you to help senior management gain a better understanding of the organization’s current security posture and the wisdom of investing in data protection. In this post, I will share some tips about how to create an effective ISRM strategy and what a good program looks like.
What is information security risk management?
Information security risk management, or ISRM, is the process of managing the risks associated with the use of information technology. In other words, organizations identify and evaluate risks to the confidentiality, integrity and availability of their information assets. This process can be broadly divided into two components:
- Risk assessment — The process of combining the information you have gathered about assets and controls to define a risk
- Risk treatment — The actions taken to remediate, mitigate, avoid, accept, transfer or otherwise manage the risks
There are various frameworks that can assist organizations in building an ISRM strategy. One of the most common is the NIST Cybersecurity Framework; it includes the following activities:
- Identify — Activities in this group aim to develop an understanding of the cybersecurity risks to systems, people, assets, data and capabilities. Understanding the business context, current business needs and related risks helps organizations determine threats and prioritize their security efforts. Activities in this stage include asset management, governance and risk assessment.
- Protect — Organizations implement appropriate safeguards and security controls to protect their most critical assets against cyber threats. Examples of activities here are identity management and access control, promoting awareness and training staff.
- Detect — Organizations need to quickly spot events that could pose risks to data security. Usually organizations rely on continuous security monitoring and incident detection techniques.
- Respond — Organizations take action against a detected cybersecurity incident. Organizations can use the following techniques to contain the impact of an incident: response planning, communications, analysis, mitigation and improvements.
- Recover — Organizations develop and implement activities to restore capabilities or services that were impacted by a security incident. This group of activities aims at supporting timely recovery to normal operations to reduce the impact from incidents; it includes recovery planning, improvements (e.g., introduction of new policies or updates to existing policies) and communications.
Figure 1. Framework Core Structure image (from the NIST Framework for Improving Critical Infrastructure Cybersecurity, version 1.1).
What makes a good information security risk management approach?
As mentioned earlier, ISRM is an ongoing process of identifying, assessing, and responding to security risks. To manage risks effectively, organizations should evaluate the likelihood of events that can pose risk to the IT environment and the potential impact of each risk. Here are three criteria for determining whether your organization’s ISRM strategy is effective at improving your security posture:
- It ensures that unacceptable risks are being identified and addressed properly.
- It ensures that money and effort isn’t being wasted on risks that are not significant.
- It provides senior management with visibility into the organizational risk profile and risk treatment priorities to support their ability to make strategic decisions.
What are the steps for creating an effective information security risk management program?
Practice shows that a multi-phased approach to creating an ISRM program is the most effective, as it will result in a more comprehensive program and simplify the entire information security risk management process by breaking it into several stages. It will make the ISRM process more manageable and enable you to fix issues more easily. Here are five steps for building an effective information security risk management program:
Step #1. Business awareness.
First, you need to understand the organization’s business conditions, such as budget considerations, staff and complexity of business processes. You also need to consider the organization’s risk profile, with detailed description of each risk that it faces, and its risk appetite — the level of risk it is prepared to accept to achieve its objectives.
Step #2. Program definition.
Next, your organization needs to define the ISRM program. Be sure to:
- Define a prescriptive annual plan followed by a high-level three-year plan. Determine the specific goals and objectives that must be met on an annual basis. This plan should be adjusted annually to accommodate changes in business conditions and activities. When all capabilities are in place and business conditions stay the same, the typical timeframe for implementing an ISRM program is 30–36 months.
- Clearly define the point of arrival for capabilities based on management input. The point of arrival is basically a definition of the capabilities the organization would like to have in place once the program has been executed. You can identify the point of arrival by working closely with the leadership team to understand their goals regarding ISRM.
- Ensure the availability and capability of necessary staff for execution of the program. A key element of any ISRM program proper staffing. All too often, organizations do not have enough qualified staff members to achieve the objectives of their ISRM programs. Therefore, it is essential to evaluate staff availability and qualifications to ensure you can meet all the objectives.
- Gain an understanding of the organization’s culture. Implementing an ISRM program is much more difficult if the people in the organization do not support the implementation. Depending on the organization’s culture, you will need to openly discuss the ISRM program with all the interested parties, or seek guidance from senior management to drive adoption of the program.
Step #3. Program development.
In this stage, you need to define the functional capabilities and controls related to IT security and risk management (e.g., vulnerability assessment, incident response, training and communication) and the governance model that will determine who will be responsible for each area of the ISRM strategy. If you choose to outsource the implementation of ISRM capabilities to third parties, be sure consider the risks and ensure appropriate oversight by internal staff.
Step #4. Metrics and benchmarking.
In this stage, your organization needs to define the metrics to be used to evaluate the effectiveness of the ISRM strategy. Here are two best practices for this step:
- Ensure alignment with industry standards and guidelines. There are multiple standards to help you make sure your ISRM program complies with industry regulations, including COBIT, International Organization for Standardization (ISO) 27000 series and the U.S. National Institute of Standards and Technology (NIST) 800 series. I recommend considering ISO/IEC 27005:2011 and NIST Special Publication 800-37 (Revision 1), which provide detailed guidelines on how to build a risk management program. It is important to use multiple compliance standards and frameworks to identify whether your ISRM program has all necessary functions and capabilities.
- Use KPIs to measure the effectiveness of the functions and capabilities developed through the ISRM program. When developing KPIs, you need to identify the business value that you would like to gain with ISRM capabilities, and then define objective criteria that can be used to assess that value. Try to base KPI on the potential business impact and point-of-arrival guidelines, and assign dollar values where possible. This will help you connect your security posture with the business context for the organization’s leadership. Also, it is essential to identify the thresholds of what is acceptable and what is unacceptable for each KPI.
Step #5. Implementation and operation.
Finally, you should go through all the stages of ISRM (identify, protect, detect, respond and recover) and repeat them on the regular basis. It is essential for organizations to have a policy that describes all stages of ISRM, the responsibilities of employees and the schedule or conditions for reviewing the program. Major changes in your IT environment, data breaches in your industry or new cyber attacks are all valid reasons for you to look at your ISRM program with a critical eye and revise it if necessary.
Security risks are inevitable, so the ability to understand and manage risks to systems and data is essential for an organization’s success. Developing an ISRM program makes the risk management process more manageable and helps you protect your most critical assets against emerging cyber threats. If you are able to address risks and respond effectively to security incidents, you can figure out how to resist cyber threats better and reduce potential risks in the future.