Why Take a Risk-Based (Instead of Compliance) Approach to Cybersecurity
Cybersecurity gets a bad rap when many develop a blind and singular focus on cybersecurity as compliance with government regulations. Unfortunately, this has ingrained a “checklist” mentality that works against an organization’s security program’s primary objective: reducing risks. In this piece, we want to challenge you to take a fresh perspective on your cybersecurity program and compliance. We invite you to look at your organization’s cybersecurity from a risk-based perspective.
What is a Risk-Based Approach?
The Risk-Based approach is a systematic method that identifies, evaluates, and prioritizes threats facing the organization. It is a customizable method that enables the business to tailor their cybersecurity program to specific organizational needs and operational vulnerabilities.
We will cover the five distinct phases of the Risk Management approach and point out the activities, value, and outcomes derived from each.
A Risk-Based Approach to Cybersecurity in 5 Phases
Phase 1: Conduct a Business Impact Analysis (BIA)
Activity: A BIA helps you identify and document critical business processes and their underlying dependencies, as well as assess and rank them based on criticality. Technical and non-technical factors are included as dependencies (e.g. assets, personnel, data, facilities, and applications).
Value: The BIA reveals how those keystone operations and functions would impact business continuity if they were hindered or eliminated.
Outcome: Conducting a Business Impact Analysis is the first step in creating Business Continuity and Disaster Recovery plans. The BIA identifies critical business processes and their supporting elements, helping you understand your environment, and what is most important, before you take steps to protect it.
Phase 2: Perform a Risk Assessment
Activity: A Risk Assessment is a quantitative and qualitative process that will identify threats, vulnerabilities, and regulatory requirements that apply to your respective business processes and underlying dependencies. It will then calculate potential consequences if those threats were actualized and produce a risk output value.
Value: The risk output value gives you and senior leadership the opportunity to understand and help prioritize the different risks facing the organization. This output is one of the greatest advantages to this approach, producing personalized metrics based on your organization. As compared to using off–the–shelf, generalized “risks” to organize your cybersecurity program, which may not be relevant nor protect your organization from the specific challenges that you face.
Outcome: Knowing your risk output value gives you the power to rank specific vulnerabilities in a risk register; a risk management tool that consolidates your risk assessment results in one place. The risk register provides an actionable starting point for focusing strategic resources to mitigate risks that pose the greatest threat to your business continuity and regulatory compliance.
Phase 3: Identify and Implement Needed Controls
Activity: In this phase, you take the unacceptable risks and identify, adapt, implement, and assign responsibility over controls that would mitigate those risks. A control is an activity-based statement providing instructions on how to mitigate or minimize security risks. Examples of cyber security control frameworks include: NIST 800-53, CIS, HITRUST CSF, ISO 27001/27002, COBIT, PCI DSS. These are pre-packaged security controls for industry–recognized risks that can be customized for your organization.
Value: Personalized risks better enable the organization to customize control choices to meet identified vulnerabilities and threats. It also allows the organization to use compensating controls because the entire decision-making process is documented. The documentation demonstrates that the organization understands the threat that the control is supposed to cover and has adequately applied other compensating controls based on a cost-risk analysis.
Outcome: Identifying and implementing the right or required controls, provides a structure and an opportunity to update or create policies and procedures that solidify and communicate the organization’s vision and priorities for its cybersecurity.
Similarly, this approach can achieve better buy-in and compliance because it creates an opportunity for dialogue with individual stakeholders who “own” the process, including support from critical mid-level management. Essentially, this Risk-Based approach gives leadership and management a compelling reason to adapt and adopt alongside potential consequences for inaction.
Phase 4: Test, Validate & Report
Activity: Once your security controls have been implemented, they need to be tested and validated.
Examples of various testing types include penetration tests, additional risk assessments, vulnerability management tests, business continuity exercises, internal audits, and compliance control assessments.
Value: Testing and validating not only give you confidence that your controls are working and providing the needed security, but when periodically reassessed, provide opportunities to incorporate newly implemented security controls.
Now, you can achieve a new risk value score, dubbed residual risk, which is documented and added to your risk register for future analysis and prioritization. Based on the investment into a new control, your risk rating would could decrease, indicating an overall healthier risk profile.
Outcome: Your testing and validation efforts should be documented and reported. Having an effective reporting mechanism will demonstrate your progress to executive leadership and compliance to regulatory bodies. Also, effective reporting lays the foundation for creating gap remediation and escalation processes, which become immortalized in the final phase.
Phase 5: Continuous Monitoring & Governance
Activity: In this last phase, your objective is to immortalize Phases 1-4 into a repeatable business process. Risk assessments should be conducted at least annually, and remediation activities need to be implemented, monitored, and incorporated into the risk register. Additionally, reporting mechanisms should be established for internal employees to identify and share potential risks to the organization. Often, managers and other employees have critical insights into weaknesses or compliance violations that may be hidden from the risk team.
Inevitably, as an organization commits to their cycle, they will discover process gaps through, either, poorly implemented controls or oversights in the risk identification process. Using the risk management process in Phase 2 enables you to process and reevaluate those gaps.
A similar approach also applies to exceptions and exception management. If process owners cannot follow policy, a risk assessment can be completed evaluating the potential damage of non-compliance. This process will lead to a higher quality, consistent exception management process.
Value: Adhering to a cycle can ensure that any new vulnerabilities or threats are identified and addressed in a consistent and timely manner, decreasing the chances that major issues go unnoticed.
This phase creates the opportunity where employees can flag issues, notify the organization, and evaluate and assess the damage in the event of an exploitation.
Outcome: Continuous governance, over the lifecycle of the Risk-Based Approach, will drive accountability for control implementation and assessment. It creates escalation paths for difficult or non-compliant stakeholders, and it ensures consistency in control adaptation. Finally, the cycle provides an opportunity to update or create needed policies or procedural documentation and communicate changes to the organization consistently.
Taking a Risk-Based, rather than a compliance-first or checklist mentality, approach to your cybersecurity program will yield many benefits, including a personalized risk score, prioritized gaps, tailored controls, and a stronger cycle for addressing new risks and vulnerabilities.