Risk Management Program Development 101

Risk remediation and identification is one of those concentrations within cybersecurity that tends to create some anxiety among cybersecurity professionals—it is hard to explain to someone not in the IT security world what they should and should not be concerned about. Risk identification (through risk assessments or other avenues), risk scoring, risk tracking and remediation for many organizations can seem like an insurmountable task. Many organizations don’t even know where to begin, much less how to operationalize and communicate cybersecurity risks holistically. A successful risk management program requires a strong foundation with these three pillars: cohesive strategy, framework mapping & adoption and ownership and accountability. Once these three pillars are in place it comes down to execution and project management skills. Once these pillars are built, you can continue to build more complex structures on top of your robust risk management program.  Remember, Rome wasn’t built in a day.

Strategy

Strategy is the first step and is often the hardest, especially if your organization is new to the cyber risk management space. It should be short, use words in common language and be easily understood by all. Ideally, the strategy should be driven from the board down, but that is not always the case, and depending on the maturity of your programs. Your security and risk management strategy should be driven by the organization’s goals and what threats are the greatest concerns for your board and leadership. Once that is complete you can identify what controls and implementations you should focus on given the threats and goals of your organization. From there you need to define the key performance indicators and measures of success—these are not a bunch of project plans, but a 10,000-foot view on how and when you intend to achieve the goals. Ultimately, your organization will always have risk, but a baseline needs to be established to drive what your focus should be within your risk program and remediation. Without this strategy element, it becomes increasingly difficult to drive remediation behavior, and also help prioritize remediation efforts.

Framework Mapping & Adoption

The multitude of extremely thorough frameworks within the cybersecurity realm can be overwhelming—these include NIST CSF, NIST 800 series, ISO, CIS, FAIR, OWASP, HITRUST and many others. It is important to not be overwhelmed by the controls and frameworks, but to find one, or several that meet your strategies and organizational goals. Why not run a strict NIST ‘shop’ or a program based solely on CIS? Risk management at its core, is a sales job. You need to sell your organization’s leadership on investing in technologies, people, processes and programs to prevent a catastrophe that might happen—this job is further complicated by not being able to prove that a specific control implementation prevented a breach or security event.

Each framework has its own pros and cons. CIS Top 20 is an excellent framework for helping prioritize remediation, and is very relatable to a wide audience. You can use CIS to create a very consumable visual for executives and sell what risk remediation projects should be tackled first. NIST 800-53, 800-30 and NIST 800-37 are excellent framework tools for operationalizing the “how” within your risk and cyber teams. NIST CSF is a wonderful framework for establishing baseline and continuing maturity of your security program and the overall health of your organization’s security; it can also help explain the timeline of a security event which is helpful for some executives. FAIR is a fantastic tool for helping better quantify risk and assigning tangible dollar amounts to risk, instead of the sometimes-nebulous impact x likelihood scale.

It is easy to get caught up in a framework and choosing the best one to fit all needs; but remember your goal is to create a culture of security and privacy, not just implementing the latest and greatest technology or updated framework. One excellent strategy to employ is evaluating what matters to your organization. Is your organization regulated by HIPAA? Do you have PCI to account for? Map your regulatory requirements, pick your frameworks on what applies to your regulatory requirements, and also what you believe to be most easily understood for your organization and executives. Start small, and scale as you continue to mature and identify gaps or needs within your risk program.

Ownership

Your risk program will fail if the risks you are identifying have no one to own them and thus no one to be held accountable for their remediation or mitigation. We so often hear “security is everyone’s responsibility” and it could not ring more true than with the establishment of a risk management program.

If you cannot establish who in your organization should own a particular risk that has been identified, all subsequent efforts will languish and die. Once you have identified a risk to be tracked in your risk register, the first critical step is establishing, and documenting ownership. Once you’ve established your risk owner, accountability, tracking and remediation can proceed. Ownership and accountability can be tricky depending on your organization’s culture. Accountability can sometimes sound negative—what you do not want to happen is people avoiding your team or your program because you’re seen as the mole that gets everyone in trouble. Ensure other teams that you are there to help push the organization forward and avoid catastrophe together. Be the team that other teams feels as though they can rely on and help navigate IT. This forms a beneficial relationship for everyone involved.

Project Management

Now that you’ve built the three pillars it is time to work with your teams to build the project plans around the implementation of the program and this can be done in phases over a long period of time, depending on investment. Ultimately, an effective risk management program that drives remediation in an organization comes down to project management. How you opt to operationalize this piece truly boils down to status check-ins with risk owners, dashboarding or report creation, and effective communication with leadership and risk owners. Your risk program team will become liaisons and shepherds of remediation ensuring not only risk owners are held accountable, but also acting as subject matter experts, and in some cases assisting them navigate the organization to accomplish the remediation. Much like establishing ownership, if a regular reporting cadence isn’t established, most if not all remediation efforts will languish, and you will not meet your goals set forth in your strategy.

It’s also important to mention, that thus far, we have not specifically called out the utilization of any Governance, Risk Management and Compliance (GRC) technology. Although implementing your risk management program would benefit from a GRC tool, if you employ the foundations outlined above, you can absolutely have a successful risk management program without any GRC tools. In many cases, it’s advisable to develop your program first, and then opt for tool selection, so you know what you will want from that tool, which can save valuable funding you may need for other controls.  

Risk management is a critical activity in driving your organization’s security posture. Program development can seem daunting, but it’s important to remember that risk management is iterative, and will continue to evolve with the maturity of your organization. Start with a strategy, then establish a framework, enforce ownership, and add in project management, and you’ll have the recipe for a successful risk management program.

What’s Hot on Infosecurity Magazine?