Implementing a Risk Management Program
Before Getting Started
Organizations are at a pivotal point in terms of the manner in which they address risk within their cyber security programs. For the first time, it is becoming significantly more expensive for organizations to do nothing about security than to address it. As a result, organizations are moving in droves to implement corrective action as quickly as possible.
This framework is designed to help with that mission by providing a step-by-step approach that anyone can follow. These steps are designed to be followed in a linear order, but some organizations may encounter situations where they will need to go back to earlier steps. Examples of these situations would be cases where perhaps acquisitions have occurred changing the included entities on the network, or significant organizational changes to the business. In these situations, you can go back and start from any step that makes sense to enable use of valid data. When this occurs, your next step will always be to the next level from which you went back to.
Below are the five steps to building a risk management program for any organization. Accomplishment of these steps will provide your organization with a mature Risk Management Program.
Step 1: Inventory and centralization of all previous security findings within the organization
Many organizations are interested in developing a risk management program for their environment, but are unsure of where to start. Identifying and organizing all previous findings is important because it enables an organization to understand what has been measured, the associated story for those findings, as well as a good indicator of current state. This step is absolutely critical in order to start the process for informing management about requesting funding.
Step 2: Implementation of an enterprise wide communication and reporting system
After completing Step 1 an organization has reached a maturity level 1 and it should have the data needed to start communicating and interacting with the organization and management. Most likely, the existing team is over allocated and chances are that at this point additional resources and funding may be required.
Step 2 will entail two primary elements. The first is to start building the mechanism to begin providing management with the information they need to make informed decisions about how to move forward. Further, as long as information about current state has been provided to management, this is the point in the process when accountability for security transitions to management.
The second element, just as important, is to begin the security training and awareness component for the organization. From this point forward, your security effort will be interacting and communicating with every aspect of the organization. The more you can educate and inform the business and the individuals within it about your efforts the quicker you will be able to implement change. Your training and awareness program becomes the grease to propel your program forward.
Step 3: Development of a Security Program Structure
Organizational leaders, in security or not, are required to look at a current situation and provide the best options available from the data to move forward. To this point most of your tasks have been associated with collecting and organizing information about the gaps in your organization’s security profile. In this step, you will now use this information to help develop and then provide options for building a repeatable risk management system for remediating these gaps in the most effective way moving forward.
There are many different types of security program structures that can work in varying situations. For example, perhaps your organization is a large health system with many individual hospitals and each having their own internet connection. In this situation, it may make sense to build a highly distributed security program structure with regional security teams and governance due to the nature of the risk distribution. Further, even in this example situation, there are still multiple security program structures that can be applied with varying pro’s and con’s to the business.
Our research has shown that executive management responds better when these options are provided with clear pros and cons for these potential options supported by the information you have collected to this point. During Step 3 an organization has collected the necessary information to support the development of a custom-fit security program for their organization. A maturity level 3 is supporting the business in building it and then leading the way forward.
Step 4: Development of a Security Risk Management Program
Risk management is one of the most important processes that will be developed by your cyber security program. The more efficient these processes are, the better information you will be able to give the business in making informed business decisions in the future. At the conclusion of the tasks in Step 4 your organization will have a functioning risk management program for your security program.
Step 5: Implement Decisions of Management
Organizations and their boards are “looking to security to implement positive change and cost avoidance in their environment”. Step 5 focuses on techniques to best measure status on progress as well as implement this in the best manner possible.