Detect Cybersecurity Risks and Respond and Recover from Incidents
After completing this unit, you’ll be able to:
- Describe how cybersecurity risk managers track implementation of policies, procedures, and controls.
- Explain the importance of early recognition of potential risks.
Managing risk is a daily activity. Imagine that you are the captain of a ship on a voyage across the sea. In order to arrive safely at your destination, you need to monitor the state of the ship and the conditions at sea and detect any problems. Your crew knows to keep a close eye on the sails, the engine room, and the hull, and report any malfunctions. Your night watchman scans the horizon for icebergs and pirates, and closely follows the radar to determine if a storm is coming. You consult your maps and charts to make sure you are staying on course. If you detect a problem, you notify your crew, the passengers, and even the coast guard in the event of a major incident.
Just as a captain monitors risks to his ship and adjusts course accordingly, as a cybersecurity risk manager it’s your task to identify the data you need to monitor risks, and develop and track cybersecurity metrics to effectively detect problems and report them up the chain. As you monitor risks, and track the implementation of policies, procedures, and controls, keep in mind the following key points.
Integrate with business unit and organizational risk reporting.
It’s likely that the various teams you interact with have many data calls they must answer on a daily basis, especially in a large organization. To the extent possible, leverage existing data that teams already use to understand risk.
Don’t forget about operations.
Integrate the risk management process as much as possible with cybersecurity operations. While many operations indicators may not be outcome-oriented, there are sure to be some that you can use to effectively understand the risk to your cyber ship. For example, how much of your network is being monitored by the operations team? Are there business systems that aren’t integrated into the central security operations center? Are there third-party vendors that represent a blind spot? These are key components of risk to consider from an operational perspective.
Automate data collection and leverage machine learning.
In today’s environment there is ever-increasing data produced by connected endpoints, logs, and threat indicators. As a savvy risk manager, you know your organization can drown in all the data if you can’t automate some of the metrics collection process. This is especially true of large organizations. Work with the owners of machine data to find ways to automate the collection and analysis of indicators so that you can paint a full picture of the risks posed to your organization and quickly detect risks when they occur.
Trust but verify.
Even the best program has gaps. You can test these in real time through the audit process and through tools such as penetration testing. The audit team examines artifacts and data related to a given system or program to determine if the security posture is consistent with the desired risk tolerance, either from a regulatory or internal policy perspective. Penetration testing goes a step further by examining the system itself from the point of view of an adversary to determine if any vulnerabilities can be successfully exploited. It’s a great idea to leverage the work of these teams to help you better understand the risk posture of the program/system you are interested in.
Executive reporting is your friend.
As a cybersecurity risk manager, it’s your job to proactively report on the organization’s risk posture to leadership across the company, including to the CISO, CIO, CEO, and Board of Directors. Remember to keep reporting centered around outcomes and contextualized to the business so that it’s relevant to your audience. Just as a teacher in school uses report cards to assess student progress and raise issues early to parents, you regularly report on risk to keep the board informed of issues early and often. Doing so creates trust in your program, and also builds the case for when additional investments in funds or staff are needed to mitigate an emerging risk. For more on how members of the board can promote an organization’s cyber resilience, check out the Cyber Resilience module.
When you efficiently monitor and communicate cybersecurity risk, you enable the organization to anticipate and mitigate threats earlier, and drive stronger business performance. The earlier you detect potential risks, the earlier you can also identify attacks and breaches and enable a rapid response.
Just as a fire alarm enables first responders to quickly identify where there is trouble, managing cybersecurity risks enables incident responders to focus on the highest risks to the organization. No matter how well you manage risk, your job will never be done (yay job security!). Because the threat and technology landscapes continue to evolve, managing cybersecurity risks is an ongoing process. When a breach does occur, work with the incident response and recovery teams to understand what happened, and to implement improvements so that the problem does not reoccur in the future. Incorporating cybersecurity risk management into your organization’s culture and projects will help you continue to deliver success for years to come.
Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, arrange the list of items in the right-hand column in the correct sequence by dragging them to the left in the order in which they should occur. When you finish ordering all the items, click Submit to check your work. To start over, click Restart.
In this module, you've been introduced to methods for identifying cybersecurity risks and business impacts. You’ve learned more about how to protect the organization by managing cybersecurity risk, and discovered how to detect and monitor risks and respond and recover from incidents. Along with the information you reviewed in the first module, you should now have a better understanding of what it takes to be a cybersecurity risk manager. You can learn more about the in-demand cybersecurity skills necessary to get a job in cybersecurity risk management, or another field, and learn more about security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.
- External Site: SANS: Creating a Security Metrics Program
- External Site: World Economic Forum (WEF): Tool finds software update bugs in hours, not days
- External Site: National Institute of Standards and Technology (NIST): Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
- External Site: Center for Information Security (CIS): Maintenance, Monitoring, and Analysis of Audit Logs
- External Site: SANS: Leverage Risk Focused Teams to Strengthen Resilience Against Cyber Risks