Large data breaches have become fairly common, and cybersecurity is at or near the top of most companies’ risk registers. New ransomware and malware variations continue to emerge, and phishing schemes are becoming infinitely more sophisticated. Regulators both domestically and internationally have responded with cybersecurity and data privacy regulations to prescribe “good behavior.”
While complying with regulators is a minimum standard and seen as a cost of doing business, the question companies are asking is “How do I know if we’re doing enough?” The truth is that regardless of how robust a cybersecurity program is, the risk remains, as the bad actor only has to be right once. While you can’t do anything to stifle the pipeline of bad actors, there are many steps a company can take to limit its exposure.
The two prime tenets of effective cybersecurity are risk assessment and governance. Risk assessment enables an organization to define its environment, evaluate the risks specific to its business and deploy limited resources efficiently. Governance speaks to the ability to establish a framework for effectively addressing these risks in a systemic way and meet the fiduciary obligations inherent with being entrusted with sensitive data, such as consumer nonpublic information.
The foundational component of an effective cybersecurity program is an entity’s risk assessment. This is the company’s opportunity to develop a program that is scalable, sustainable and customized to its specific circumstances. The cybersecurity risk assessment process should be an ongoing process (See Graphic 1.), and include the following phases:
1. Define Threat Scenario
Use an established risk assessment framework along with a documented policy and procedure to direct the process:
2. Assess Inherent Risk
- Select risk factors and metrics that are impactful to your organization and provide a comprehensive view of cybersecurity risk to the enterprise.
- Define the IT environment, specifically using an asset-based approach focusing on non-public information (NPI) and system operations supporting the normal course of business.
- Involve all organizational stakeholders (IT, business process, risk/legal and executive), reinforcing that risk assessment and cybersecurity are not solely IT or risk-management responsibilities.
- Intake and evaluate information from relevant internal and external sources.
For each identified risk scenario, using the likelihood criteria defined, assess the inherent likelihood of each risk occurring without the impact of any internal controls or business processes. For each identified risk scenario, using the risk factors defined, assess the impact each event would have, were it to occur. Compile a risk score based on the cumulative likelihood and impact for each risk (See Graphic 2.).
3. Evaluate the Impact of Controls
For each identified risk scenario, identify all the business processes, internal controls, applications and monitoring provisions that would:
- Prevent or limit that risk scenario from occurring; or
- Reduce or transfer some or all of the risk, if that risk scenario were to occur.
Note: Take credit for the work you do, but be sure not overvalue the impact of what you are doing.
4. Assess Residual Risk
Action steps to improve
- For each identified risk scenario, using the inherent likelihood derived, assess the impact of controls that prevent or limit that risk scenario from occurring, the result being a residual risk likelihood.
- For each identified risk scenario, using the inherent impact derived, assess the impact of controls that either limit or transfer some or all of the risk, if that risk were to occur, the result being a residual risk impact.
- Compile a residual risk score based on the cumulative residual likelihood and impact for each risk (See Graphic 2).
Once the residual risk has been derived for each risk scenario, the company must analyze and interpret the results of the risk assessment. Specific questions to be asked are:
- Did we overvalue the impact of internal controls (i.e., Are we taking too much credit for controls)?
- Are the results skewed, meaning:
- Are there too many high-risk scenarios? This indicates that there are many significant risks remaining. This may result in material risks not getting adequate attention, as resources must be allocated across a larger population of significant risks.
- Are there too many low-risk scenarios? This indicates that all significant risks are covered and the residual risk is nominal. This may result in material risks not getting adequate attention or resources, as perceived low risks may not receive budget priority or management sponsorship.
Once the analysis is complete and any adjustments made, action plans must be drafted to address each critical and significant risk.
Additional concepts to consider
- These action plans should include specific actions to be completed; action owner, anticipated completion date and required resources (direct cost and employee effort in hours).
- The action plans should be aligned with the broader IT strategic plan to ensure alignment of resources and effort to maximize efficiency.
Following the phased approach outlined above will result in a comprehensive risk assessment, but there are additional concepts which must be considered. They are as follows:
- Risk is subjective, this exacerbates the need for input of multiple stakeholders and equally as important as the diversity of thought different stakeholders bring to the process. Stakeholder involvement is crucial in all phases of the risk assessment, the selection of risk factors to be used, the metrics by which the risk factors will be evaluated, the inherent/residual risk ratings, and the action plan stemming from the assessment.
- Developing metrics for risk analysis is difficult, risks may or may not distribute normally across a bell curve; however, they may skew in distribution either to the left or right and may, indicate that on the whole, risks are either overstated or understated. While risk analysis can be supported with metrics and graphs, there is still a component of risk assessment that is based on “feel,” meaning a certain risk feels like it should be high or critical, regardless of controls. This is where experience in conducting information-security risk assessment and knowledge of the current events and trends are crucial.
- Due to the level of subjectivity in risk, there is value in conducting an independent quality review of the risk assessment. An objective reviewer can challenge the risk ratings and impact of internal controls, and can help identify potential blind spots, missing risks, unsupported risk ratings and internal controls for which the impact is either overvalued or undervalued.
Effective cybersecurity is an organizational effort. Done well, cybersecurity involves the:
- Information technology group that builds, deploys and manages the enterprise systems
- Information security team that protects the systems and monitors activity
- Business units that own the customer relationships, the underlying systems and data
- Executive management and the board that have the fiduciary duty to protect sensitive information
- Legal and compliance group that is responsible with ensuring compliance with all applicable laws and regulations
- Risk-management team that understands the risk assessment process and has access to the tools and templates to be deployed
Involving the stakeholders above throughout the risk assessment process will ensure all significant risks are identified, adequate information is used, relevant internal controls are identified and the resulting plan is realistic. Once the cybersecurity risk assessment is completed, the cybersecurity program should be updated to address the key risks and the IT/cybersecurity calendar should be updated to integrate the planned action steps. The results from the risk assessment and the updated strategic plan should be presented to executive management and the board to ensure executive sponsorship and appropriate engagement in maintaining their fiduciary duty of protecting customer and employee nonpublic information.
Effective cybersecurity management requires organizational alignment, a systemic approach and the efficient deployment of highly skilled resources. A cybersecurity risk assessment is the foundation for that effective cybersecurity program.