Risk management focuses on protecting business information assets and allowing organizational leadership to make informed decisions. As well as giving the business the ability to assess, triage and minimize the likelihood of a risk being realized and to mitigate any potential impact, risk management allows the organization to weigh and leverage opportunities. There are numerous ways to achieve this, so it’s imperative that the business establishes the most effective pathway.
A clear understanding of the risks relating to the collection, processing, storing, sharing and disposal of information is key to ensuring that identified risks are managed in relation to information assets, whether its own or customer-owned. This can be determined by building up an enterprise level risk profile based on business influencing factors, including the goals and priorities of the organization, leading to a clearer understanding of acceptable and unacceptable risks.
Spoiled for choice
There are numerous well-known risk methodologies available that allow organizations to identify, quantify and support mitigation of information security risks to its data, such as ISO 27005:2011, OCTAVE Allegro, NIST (SP800-30), ISF IRAM2 and ISACA’s COBIT framework. Because of this, there’s no one-size-fits-all approach, which can make it difficult to implement an effective and beneficial enterprise-oriented risk management framework.
Organizations may utilize an inherited risk assessment methodology, or those responsible for risk management could introduce one with which they are familiar. Unless specifically mandated, the risk methodology adopted should fit the business rather than the other way around. Tailoring a risk framework to the business will benefit the business by providing accurate, timely and relevant reporting and will also help assure the leadership on how and where to focus resources. Clearly this will also need to factor in issues such as legislation, regulation, contractual obligations and the organization’s risk appetite, all of which are important elements of the risk arena.
Another approach is to consider a risk control-focused methodology, and there are numerous control baselines here, such as Cyber Essentials, Control Baselines for Information Systems and Organizations (NIST 800-53B) and ISO 27002. These can help the organization to assess the effectiveness of controls already implemented and identify any missing.
Responsiveness to risk
The second challenge with risk management is underestimating or failing to manage risk dynamically. Risk management isn’t a onetime process and needs regular attention to ensure that risk decisions are captured, reviewed and addressed primarily where specific documented triggers are met, such as business change, external influences, IT technology changes and at least at planned intervals. For these reasons, it should be regarded as a continual process.
Risk management should evolve to ensure that any systems used to collect, process or store information continue to have appropriate risk mitigation controls applied throughout their lifecycle. As always, businesses will need to contend with emerging technologies (quantum, spatial technologies, IoT, 5G) and new strategies (ESG, Internet of Behaviors, UX), so businesses need to monitor risk actively in order to keep abreast of emerging technologies and threats.
Adopting the right language
Information security risks need to be assessed based on input from appropriate sources, such as technical, data protection specialists and supporting vendors, if we are to construct an accurate risk picture. The outputs from matrix or RAG status may be effective in allowing senior management to gain an overview of identified risks but need to be articulated in a business-relative language, so that those responsible for allocating precious risk management resources are marshalled and deployed to best effect.
Those charged with the responsibility for managing information risk within the organization also need to have the right support and feel they are heard. Once processes and skills are honed, the ideal is where information risk management is integral to the point it becomes instinctive without hindering or stifling success.
Indeed, done well, risk management can help drive the business forward. It should seek to understand and manage the risks which may prevent the aims of the business from being realized and, over time, should result in repeatable “canned” mitigations that facilitate delegated risk decision making, further enabling the business to be more agile in addressing risk and more responsive to market conditions.
You can’t go wrong if you always adhere to the five Cs by ensuring commitment from senior management, contribution by appropriate SMEs, a consistent process/output/treatment, controls that are effective and appropriate and, last but by no means least, communication in a business-relevant language.