Haymarket Media Group

You already know that risk assessment is a critical part of securing your organisation. But are your risk analyses too narrowly focused on IT? SC Media's Steve Mansfield-Devine explores how to get risk management right...

Your risk management needs to have a broad scope. In its recent basic risk management guidelines update, the National Cyber Security Centre stated: "Improving business outcomes should be the primary driver for cybersecurity risk management. We advocate meaningful cybersecurity risk management that illuminates the real cyber risks that are applicable to your organisation and how it operates, rather than the use of techniques which just seek to satisfy compliance requirements."

Never-ending task
Your business, the market in which it operates and the threats you face all constantly evolve, and this environment makes risk management an apparently Sisyphean task. But if you are not constantly reviewing your activities, you risk wasting your time completely.

"Most risk assessments are large, monolithic and point-in-time efforts – the value diminishes instantly," says Robert Huber, Tenable's chief security officer and head of research.

He adds: "Businesses should be continuously monitoring for risks via multiple mechanisms. These include: enterprise risk assessments, business impact assessments, risk registers and issues logs, regular cybersecurity surveys across the enterprise, input from audits, third-party assessments, regulatory updates, cyber-related activity in the news, as well as input from exposure management platforms that monitor 24x7 for vulnerabilities."

Reaching out
However, your burden is going to be eased – and your results improved – if you reach out to the rest of the business.

"Anyone could have valuable input," says Brian Jack, CISO at KnowBe4. "The CISO and the CEO must foster a culture of open communication and solicit feedback often from all up and down the organisational chart. Often risks come from the newest observers to the business."

The CFO, whose job is to manage business risk, is someone with whom you need to maintain a particularly close relationship.

"CISOs and CFOs must be closely involved in the rationalisation of top business risks and the presentation of these risks, responsibilities and high-level mitigation plans with the board," explains Curtis Simpson, CISO at Armis. "CISOs who are able to convey a meaningful business narrative will find it easier to engage with such partners, let alone the board, and will encounter far less friction when securing the resources required to fund the cyber security programmes and better protect their businesses."

Take your time
The same goes for any executive who owns some aspect of risk within the organisation. Taking the time to understand their challenges – and deploying the tools that you have within the IT department to assess their risk profiles – can have huge benefits for the organisation.

"If we take the time to understand how we can use such capabilities to not only mitigate risks but also, address key issues affecting business partners, the impact can be significant," says Simpson. "As an example, let's talk about technical debt. CFOs, CIOs, and CISOs are all trying to reduce the footprint and cost of legacy, high-risk systems both as a result of and in support of continuing to fund innovation.

“These efforts have commonly been slower and less impactful than expected due to the fact that none of the three parties have the data required to paint the way. However, when each leader's data is consolidated and rationalised, the path to risk and operational cost reduction becomes clear."

People know best
However, don't get too focused on technological solutions. Other people in the organisation may prove to be the best assets you have.

"You don't need a fancy tool to generate heatmaps and other charts to do risk management well," says Jack. "All you need is some critical thinking, open communication and ensuring you make decisions on the data that is available.

“Asking stakeholders what keeps them up at night and if they currently do or plan to do anything to help them sleep better is the easiest risk management exercise you could do."