Protect the Organization by Managing Cybersecurity Risk

Learning Objectives

After completing this unit, you’ll be able to:

Design and implement a cybersecurity risk management program by leveraging existing frameworks.
Describe how to mitigate, transfer, or accept risk.
Explain the types of partnerships that are necessary for managing cyber risk.

Design and Implement a Cyber Risk Management Program

In the previous unit you asked the right questions to identify cyber risks in a business context, and got the information you need to understand the organization’s risk tolerance. Now it’s time to manage cybersecurity risks.

The right framework makes protecting the organization easier. You can develop and implement your own framework or leverage industry frameworks and methodologies. There are many national, international, and industry-specific frameworks to choose from. The World Economic Forum (WEF) has developed a white paper on Advancing Cyber Resilience, which contains a framework for managing cyber risk. The framework covers various IT assets such as intellectual property, financial assets, and physical safety assets, and evaluates the business impact of a loss of confidentiality, integrity, or availability

Another commonly used framework is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which organizes cybersecurity activities and desired outcomes across five functions: Identify, Protect, Detect, Respond, and Recover. The functions provide a high-level view of the maturity of an organization in managing risk and can be adapted to public and private sector organizations of all sizes around the world.

Yet another commonly used resource for managing cyber risk is the Center for Internet Security Top 20 Critical Security Controls. Organizations leverage the controls to protect their critical information and reduce the chance of compromise.

Other commonly used frameworks include the ISO/IEC 27001/2 Information Security Management standards, the Factor Analysis of Information Risk (FAIR) methodology, and industry-specific standards such as the Payment Card Industry Data Security Standard (PCI DSS) in the financial industry and Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry. No matter what framework you choose, keep in mind that compliance with a framework, regulation, or policy is necessary, but insufficient. As a cybersecurity risk manager, you must manage risk to a level commensurate with your organization’s unique risk tolerance.

Depending on the size of the organization, managing cyber risk may require integrating with an Enterprise Risk Management (ERM) team. This broader risk management function takes into account financial and regulatory risks in addition to operational risks at an organizational, strategic level. For example, a pharmaceutical company’s ERM function may consider the financial risks if the new drug the company is developing doesn’t get approval. The company may also face a negative impact if a malicious actor working on behalf of a competitor breaches the company’s systems and steals the secret drug formula. Both this cybersecurity risk and financial risk are taken into account when managing the overall risk of the organization.

After choosing and adapting the frameworks relevant to your organization, it’s time to use the framework to perform ongoing assessments of your business units, programs, systems, and third-party vendors. To help you understand risk in your environment, it is important to identify and collect data at a regular cadence that can serve as an indicator of risk trends. For example, the U.S. Federal government collects the Chief Information Officer (CIO) Federal Information Systems Management Act (FISMA) metrics on a quarterly basis to help departments and agencies manage their cyber risk, support decision making, and prioritize improvements.

Understanding the organization’s baseline risk posture, and goals for improvement, allows you to advise the organization on needed changes to its cybersecurity strategy, policies, and standards. As a cybersecurity risk manager, you also inform decisions on what controls and remediations to prioritize. Let’s dive further into how you advise on the implementation of technical controls.

Mitigate, Transfer, or Accept Risk

Evaluating the dimensions of each risk helps you to prioritize and address them. As a cybersecurity risk manager, it is not your job to personally address each risk, but rather to advise the owners of the risk as needed on decisions. There are three ways that a risk owner can decide to address a risk: mitigate, transfer, or accept. Let’s explore each of these.

Mitigate the Risk

The risk owner works with a control owner to implement security controls to reduce risk based on the sensitivity of the system. For example, a database administrator at a hospital works with the access management team to implement two-factor authentication to access sensitive patient data. The team requires employees to access the database using both a username and password and an ID card inserted into the computer with a smart chip and PIN. In this way the administrator reduces the risk that an attacker can steal employee credentials through a phishing email and illicitly access patient data.

Transfer the Risk

You decide that the risk requires a technical solution that is too complicated for your small organization, or a solution that’s outside your core functionality, and outsource it to another team or company. Let’s use Joe, as an example, who works at a three-person accounting firm. Joe knows it’s important for his firm to have a secure connection to the public internet to avoid a scenario where attackers compromise his clients’ financial information through an otherwise insecure connection. However, Joe is not an internet security expert. He decides to contract with a trusted internet protocol service to manage the security of his internet connection with firewall, intrusion detection and prevention, and antivirus services. He includes language in the contract with the vendor about the security standards he expects them to meet, but he transfers the risk of operating a secure internet connection to the third party.

Accept the Risk

Because every organization operates under resource constraints, it is impossible to completely eliminate all risks. Perhaps after performing a risk assessment, you come to the conclusion that a risk is so unlikely that it is not worth spending time and financial resources to completely eliminate it. Or maybe your project does not currently have the budget to upgrade a system to a more secure technology. In this case you might accept the risk, either indefinitely or under a specific timeline by which it will be mitigated. The key is to document the decision and associated timeline for eventual mitigation. Doing so ensures the business unit is managing risks in a thoughtful way, and is tracking risks and their impact to the overall organization’s cyber risk posture. This exercise can also be used to justify additional budgetary or staff resources for a specific project if the risk is found to be more urgent than previously identified.

Now you know the three methods for managing risk. Next, let’s discuss how as a cybersecurity risk manager you leverage partnerships to effectively manage risk across the organization.

Leverage Partnerships to Effectively Manage Risk

By managing cyber risks as a team, your organization strengthens its cybersecurity posture. Just like the captain can't win the big soccer match without the rest of the team, you need to work with people across the organization to defend the business and score a security goal. While you may have a lead role in calling the plays that will enable the organization to be successful, without building partnerships and a culture of cybersecurity throughout, your organization will never be able to win the big game.

Image of a soccer captain in front of his teammates discussing the next play that will help them win the big game together. Marita manages cybersecurity risks at a bank. She uses her communication, teamwork, and advocacy skills to create buy-in, awareness, and responsibility to better manage risk across the organization. She solicits input from both business and technology teams, and ensures that staff understand their role in implementing and monitoring cybersecurity controls. She works with business staff to understand the criticality of various systems and the data they contain, and system security engineers to recommend and implement mitigations. To ensure a holistic picture of risk across the bank, she partners with staff on the privacy team, business continuity team, and others.

Marita also leverages the threat intelligence team to better understand the current threat landscape as it applies to her industry. She works with the team that manages third-party risks to ensure continued visibility into any risks that have been transferred to outside vendors. She also partners with the legal team to stay abreast of changes in regulations that can affect the organization’s compliance, and with the awareness and training team to help ensure security objectives are understood by everyone. She knows that including a diversity of views from these and other teams in the organization helps better protect the organization as a whole.

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. To start over, click Restart.

Knowledge Check

Great work! In the next unit you learn more about how cybersecurity risk managers detect risks and respond and recover from incidents. Let’s go!