Manage Security Risks

Learning Objectives

After completing this unit, you’ll be able to:

Define risk owner roles and responsibilities.
Explain the role of the control executive.

Cyber Risk Ownership

Implementation of an effective cybersecurity program requires a leader who analyzes and prioritizes how to use technology and cybersecurity to protect the business from unnecessary risks. Building and practicing strong cyber hygiene is one way to minimize the risk of attackers exploiting known vulnerabilities. But as an executive, it’s also key that you take ownership of your organization’s cybersecurity risks and how they may impact your organization’s business processes. Properly owning and managing cybersecurity risks also helps enable your organization to comply with applicable cybersecurity laws, regulations, and standards.

To better understand what we mean when we talk about risk ownership, let’s talk about a cautionary tale of mobile device security.

Securing Your Credentials

You joined your colleagues at a networking web conference Friday while at a local shared office space. While you were chatting up new contacts, you left your phone charging in a nearby wall socket. When you checked a few minutes later, your phone was gone. You asked the venue staff for help in locating it, but it was too late. You contacted your phone carrier for a replacement.

A few days later, you get a text message on your new phone telling you that there is an alert on your Find My Phone application. It urges you to click the link and enter your username and password to locate your phone. Hurry, you only have an hour to do so or your device location will no longer be visible! You click the link and enter a site called “findyourphone.com” using your username and password. Suddenly you realize you never set up Find My Phone on your device. What is going on?

Your stolen phone is only the start of your bad luck, because you’ve just been phished by an attacker who sent you a spoofed text, directed you to a malicious site, and stole your username and password.

What could you have done in this scenario to better manage risk? You could have protected the physical security of your device by not leaving it out of your sight. Additionally, you could have implemented multi-factor authentication (MFA) on your online accounts so that even if your usernames and passwords were compromised, attackers could not access your information because they wouldn’t be able to get through the other layers of authentication.

In the same way you’re responsible for securing your individual device, as an executive you likely have a role in understanding, validating, and improving the security posture of your business unit and your overall organization. You should understand your role and responsibility for maintaining the confidentiality, integrity, and availability of your business systems and of your customers’ and third-party business systems while complying with all applicable legal, contractual, and regulatory requirements. Executives should periodically review, validate, and improve the security posture of their organization through the identification, review, and remediation of cybersecurity risks, controls, and processes.

Maybe you didn’t even realize the risks that you were taking with the way you managed your personal cell phone, and you probably won’t make the same mistakes again! Owning and managing your organization’s cybersecurity risks is just as important as managing personal cybersecurity risks. You likely have a role to play in maintaining active formal risk assessments, and implementing effective response and recovery capability mitigation processes for critical departments and functions across your organization. In this way, you can manage the impact of unwanted and unexpected events (like having an IT asset stolen or clicking a malicious link).

Let’s look at an example of risk ownership.

Enforcing Security Controls

Hea is an executive at a financial institution. She is in charge of the customer service unit, and uses a system for logging customer complaint data. The system is managed by IT. Attackers may be interested in stealing sensitive information from the database that tracks customer complaints.

As the business owner of the customer service database, Hea maintains visibility over the risk and related controls. She makes sure her employees understand the risks, oversees implementation of appropriate controls, monitors how data is handled, and checks how well employees follow proper procedures. She works with the financial institution’s security department to help her manage risk by enforcing the use of MFA for database access, encrypting the data when saved on employees’ laptops, and putting in place email filtering, which blocks employees from inappropriately sending downloads of the database tables that include sensitive customer information.

Control Executive Roles and Responsibilities

At Hea’s organization, the process of complying with security certification standards and maintaining internal controls over security practices is managed by a Security Governance Risk Management and Compliance team (GRC). Some common controls that you may be familiar with are asset management, vulnerability assessment and remediation, incident management, and security audit and compliance. Even though GRC manages security practices, there are many players involved in keeping Hea’s organization secure. One of the most important, the control executive, is accountable for making sure the control owner and control performer implement and maintain the control accurately and on time.

Whereas Hea assesses and articulates risks, Jamie, the control executive, works with the control owners and control performers to make sure all controls are performed correctly and on schedule, assigns staff roles, and communicates the importance of completing the controls dependably and reliably.

Consider lifeguards at the beach. The people who visit the beach to swim and enjoy the water could drown, be stung by a jellyfish, or cut their foot on a piece of glass in the sand. The lifeguards, much like Jaime, oversee safeguards to minimize these risks. They closely watch the water for any signs that someone may be drowning. They keep a life preserver handy in case they must pull someone from the water. They make sure the city posts signs warning swimmers of the dangers of sharks and jellyfish in the water. They contact local police to enforce rules against the use of glass bottles on the beach.

A lifeguard is standing in his tower, watching over a beach. A sign with a red triangle and an exclamation mark indicates a shark hazard.

Just as the lifeguards help control the level of risk that swimmers face when enjoying the sand and sun, Jaime as the control executive protects against cybersecurity risks by making sure all controls are performed accurately and on time, and by attesting to the state of the control in order to protect the company and its customers.

For example, Jaime makes sure multi-factor authentication is always required for login to his organization’s systems. Jaime collaborates with Hea to understand the risk each control is intended to address, identify what controls are in place and how effective they are, and update and review controls over time. Jaime establishes procedures for detecting instances of noncompliance and developing and tracking corrective action plans. Jaime works closely with Hea to maintain awareness, manage communications, and correct course as needed.

As an executive, you may be responsible for both risk ownership and controls. In each role, it’s key that you understand the risks identified, validate that controls are in place and functioning as expected, and quickly remediate any gaps. If you have questions about your role, your organization’s GRC team may be able to help.

Sum It Up

You’ve now learned how to manage the unique cyber risks you face as an executive, whether it is to recognize sophisticated phishing emails, secure your social media accounts, or better understand the cybersecurity risks that face the business unit you lead. As an executive, it is critical that you follow your organization’s cybersecurity policies and best practices and keep security top of mind in everything you do. Interested in learning more about cybersecurity best practices? Check out the Cybersecurity Learning Hub on Trailhead.