Get to Know Cybersecurity Risk Management
After completing this unit, you’ll be able to:
- Describe the goals of a cybersecurity risk management program.
- Explain the importance of managing cybersecurity risks.
Your company just closed a deal to use a new cloud computing service. Whoopee! This new technology makes it easier to automate application development and bring new opportunities. But let’s pause for a moment. Have you considered the potential impact if the data processed by this new technology is compromised by an attacker? Have you thought about the risks?
This is where cybersecurity risk management comes into play. Cybersecurity risk management is the process of managing risks associated with digital business assets. It involves identifying, assessing, and mitigating risks to protect the confidentiality, integrity, and availability of an organization’s assets. As a cybersecurity risk manager you strive to improve visibility into risks at the enterprise, business unit, and system-level, in order to strengthen an organization’s cyber resilience. Cyber resilience refers to an organization’s ability to prevent, detect, respond, and recover from cyber threats. In a world of constant change, new cyber risks and threats arise daily. You enable their organization to respond to events in a timely way, in order to minimize business disruption and financial losses. Suffice to say, it’s a pretty important role!
So, going back to our example at the beginning, how do you, as a cyber risk manager, identify the risks of using the new cloud computing service? To begin with, you need to consider the likelihood that known threats exploit vulnerabilities. For example, is there sensitive customer data stored in the cloud that an attacker would be interested in stealing? Are there known vulnerabilities in the applications running in the cloud that would allow an attacker to access the information? What is the potential financial, operational, and reputational impact on your company if such a breach occurs? How likely is it that this scenario actually happens? These are the types of questions a risk manager thinks about every day.
Once the risk of a certain program, system, or technology is identified, the organization takes actions to protect itself from the risk. Imagine you are buying health insurance. When you have health insurance, you do not have to worry as much about the cost of your healthcare bills. If you have an accident, you know you can get good quality care and recover quickly. When you choose your insurance plan, you carefully consider the benefits and costs of each plan in order to decide on the one that best suits your healthcare needs. In the same way, as a cybersecurity risk manager, you compare the costs and benefits of mitigating cyber risk by implementing protections, and advising the organization to implement the best action plan.
Just like purchasing insurance reduces the risk associated with accidents, managing cyber risk “buys down” the potential impact if data is compromised by an attacker. Although it’s impossible to fully eliminate all risk, managing cyber risk minimizes the likelihood that an attacker can exploit a vulnerability. If an attacker is successful in breaching a system, risk management can still minimize business disruption and financial losses, so the organization can get back to business faster.
As your organization acquires new technology assets and becomes ever more connected, the threats to your customer’s and your business’ data expand as well. It’s time to put a plan in place to deliver the right amount of cyber protections, so your customers know that they can trust your organization to secure their information. Managing cyber risks means making conscious decisions about securing sensitive information.
As a cyber risk manager, you work to make risk identification and evaluation easier, so everyone, from your boss to your customers, understands the organization’s tolerance for risk, and the actions and associated costs necessary to manage it. Although managing cybersecurity risk can’t ensure that you always make the correct decisions, it does ensure that everyone understands who is responsible for managing a given risk to acceptable levels.
Every organization is unique when it comes to risk and how much it’s willing to take on. But managing cyber risks is an activity that is important for small and large organizations, around the world in every industry, from finance to healthcare to government to energy. Smaller companies may outsource risk management functions to a third party. You may be in charge of working with one of these vendors. Or you may even work for a company that sells cybersecurity risk management services. As a member of the cyber risk management team in a larger organization, you may need to work with many teams across the enterprise to holistically understand risk, including integrating with the Enterprise Risk Management Team. This team manages the organization’s financial, operational, legal, and other risks, in addition to cybersecurity risks at a strategic, enterprise level.
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. To start over, click Restart.
Great work! Remember, no matter what type of organization you work for, the key is to find the right balance between rewards and risk tolerance. In the next unit, you learn more about your responsibilities as a cybersecurity risk manager in balancing risk, and the skills that help you succeed in the role.
- Trailhead: Cyber Resilience
- External Site: ISO/IEC 27005: 2018 Information Technology—Security Techniques—Information Security Risk Management
- External Site: World Economic Forum: Why Cyberrisk Should Take Centre Stage in Financial Services
- External Site: National Institute of Standards and Technology Risk Management Framework for Information Systems and Organizations