Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple public sector IT transformation projects shares his thoughts on what makes a successful risk cyber security risk awareness strategy
Risk management involves identifying, assessing, mitigating, and planning for potential events that could impact a business.
This article explores risk management in practice including the difference between operational and project risk. It highlights characteristics of poor risk management and the priorities for a successful cyber risk awareness strategy.
It emphasizes the dynamic nature of cyber risks, the need for constant vigilance, and the importance of practical training, communication, and proactive measures to mitigate risks.
Risk management involves:
- Identifying possible future events which could impact the business.
- Assessing the probability of each materializing and the size of the potential impact.
- Identifying possible mitigation actions to reduce the probability or impact.
- Preparing contingency plans to recover after a risk has materialized.
- Deciding whether carrying out mitigation tasks is worth it at the appropriate time given the risk level then applying.
Risk management in practice
A practical example of risk management is pouring concrete for building foundations. If more than a certain amount of rain falls within 24 hours, the foundations may be ruined. After identifying such a risk, we need to assess the likelihood and impact of rain, including costs, delays and financial penalties.
Mitigation activities to reduce the probability of the risk occurring might include:
- Pay for advanced weather forecasting.
- Cost the digging of a protective trench, ensuring adequate drainage.
- Obtain insurance costs/lead times.
Contingency planning in the event of the risk happening might identify the cost and resources needed to dig out the foundations and have them ready for a re-pour. This is practical risk management carried out by experts based on an informed decision to deliver the best outcomes for the project.
The difference between operational and project risk Operational risks affect an organization carrying out its regular business, and there are two sorts.
Frequency risks are expected to occur regularly, and we can predict these costs over a period. Catastrophe risks are unexpected and might happen only once every 20 years.
Project risks relate to a plan to deliver a particular outcome. For example, external threats might include a new competitor affecting the business case. Delivery risks relate to the ability to complete the required tasks on time, within budget and to the specification needed.
Cyber security risk is an operational risk issue
Cyber security risk is predominantly an operational risk issue, where persistent though changing security threats are ever present. Cyber security applies to projects in that any technology being used or delivered by a project must embrace security by design and comply with applicable standards.
An organization’s defence needs to be proportionate to the level of risk. It should be balanced so that weaknesses in one area do not circumvent a major investment in other areas.
It also needs commitment at a senior/board level to ensure it is taken seriously across the organization.
The difference in cyber security risk management when compared to other risks
We manage cyber risk using the exact mechanisms we use for any other risk management. However, there are significant differences in cyber threats compared to other risks.
For example, in traditional risk management, the risks associated with a particular requirement or business function change slowly. In the cyber world, the landscape is far more dynamic.
Data stored by an organization or department is attractive to criminals. In addition, new technology can introduce new vulnerabilities. Threat actors can exploit these before software patches or fixes can be implemented. These factors necessitate a more rigorous approach to cyber risk assessment.
Rather than carrying out a point-in-time exercise, potentially every configuration change, product patch or upgrade needs to be risk assessed and authorized by the organization potentially via a Change Advisory Board.
A key element of a cyber risk management strategy is acknowledging that some attacks will succeed. Creating multiple layers of protection with appropriate monitoring and alerts means a successful attack on one layer can be detected, giving time to enact contingency plans before the next layer is penetrated and the overall attack is defeated.
Cybercriminals use psychology to manipulate individuals and deceive them into compromising security measures. Therefore, we need to ensure that cyber security risk is constantly in people’s minds and that they are regularly reminded how to recognize threats.
An effective cyber security risk awareness strategy needs to include:
- Onboarding training, including all topics in the organization’s security policy in digestible sections relevant by job function.
- Regular exercises to verify staff have absorbed training and are following policies with reminders of the consequences.
- Re-assessments and changes to the probability/size of impacts need to be communicated so people realize when there is a heightened risk level.
- Engage everyone to report attacks or near misses to update the threat level so colleagues can take immediate action.
- Staff understand they must report suspected attacks without blame.
The most significant risk is complacency resulting in people discounting the probability of a risk affecting them.
Characteristics of poor risk awareness
The tell-tale signs of an inadequate cyber security risk awareness strategy include:
• A policy ignored, creating a sense of false security
• No method of detecting whether attacks are occurring
• No way of disseminating information
• No effective security officer responding to alerts and taking action.
• No support systems
• No security assessment process as part of procurement
Priorities for a successful risk awareness strategy
The Director of Security must be able to monitor and audit policy compliance and take action if required.
Create a ‘White List’ of approved software products/apps to increase protection. Any other software must be removed and improper installations investigated. Despite clear instructions, individuals often neglect to remove unapproved software.
To tackle compliance challenges, use Vulnerability Assessment tools to detect and remove or disable non-compliant software, outdated software or software containing new vulnerabilities.
Deploy a system administration tool enabling administrators to remove unauthorized software remotely. Taking concrete action makes it evident to employees that failure to follow the policies is unacceptable and that a technology solution will be monitoring and maintaining a secure environment.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.