Most security companies will tell you that the 5 steps to developing your risk management program go something like this…
- Identify critical assets
- Identify risks
- Plan for attack
- Review your controls
- Implement cybersecurity awareness training
This approach is outdated and usually results in a list of architectural assets and vulnerabilities rated by criticality. The problem is that most of these decisions are being made from an operational perspective. This approach guarantees there will always be a gap and friction between operations and senior leaders.
A better approach is one that is truly driven by leadership and organizational priorities.
Here’s a better approach.
- Understand and align risk appetite to business priorities
- Built a culture that embraces security
- Identify the weaknesses most likely to be leveraged by an attacker against you
- Forecast the risks most likely to cause a loss (operations, financial or reputation)
- Develop mitigations and prioritize resources
This approach eliminates the gap and friction with leadership. It streamlines efforts and brings the entire organization into the fold of security. It has the benefit of ensuring you have leadership support which makes everything easier.
Don’t just educate about cyber risks, build a culture around security. Training may raise awareness but, a culture provides positive feedback and eliminates the undesirable (risk).
If you don’t know which weaknesses are most likely to be leveraged against you in an attack, you really don’t know your own state of security. It’s not enough to use an industry-provided rating, you must understand how each weakness relates to your environment and more specifically your business priorities. It’s your business after all.
Forecasting risk is an intellectual exercise in “what if” (although using sophisticated mathematical models and methods). This process opens the door to analysis which is where you will uncover the deep insights you need to effectively manage risk.
Only after you know your weaknesses, and have forecasted the risks can you truly be in a position to prioritize resources and implement mitigations. Without the prior steps, you’re really just shooting in the dark. Why not get a laser-focused view of your risk?
If you are wondering where to begin, reach out for a free consultation and advice. No sales, no hassles, no worries. Charlene@fismacs.com
Charlene Deaver-Vazquez -Helping new CIO/CISO measure, manage and communicate risk. Schedule a quick chat https://www.fismacs.com/contact