As your company's chief information security officer (CISO), you're responsible for IT and corporate security, as well as the safety and security of company data and assets. You navigate a fraud landscape of ever-changing and newly emerging threats, while analyzing, prioritizing, and communicating these threats to others at the C-level table. If security risks and vulnerabilities are not properly prioritized at an organizational level, your company is more vulnerable to breaches, hacks, and threats.
A One-Stop "What If" Catalog of Risks
Your risk register should serve as a standardized framework — a "what if" manual that includes current and potential security risks and how they could impact the organization. This risk register should identify threats, outline the probability they will affect your company, and illustrate the overall potential impact — and it should be continually updated. This inventory of risks may include risk description, cause, result, likelihood, outcome, and mitigation actions, all customized to your organization. Break out your risk register into sections that map to different business units and stakeholders (infrastructure, internal systems, physical security, etc.) and detail how each may be affected by various threats.
How do you decide what goes into your risk register? Much of that depends on your company's cybersecurity posture, identified risks, and potential risks. However, there are some general guidelines to keep in mind.
1. Zero trust is a must.
Yes, hybrid work accelerates fraud. Many new technologies have come to the forefront as companies adapt and adjust to facilitating remote work for their teams scattered across the globe. We now live in an environment of heightened risk, new types of threats, and constant alerts. It's been a year since President Joe Biden issued a cybersecurity executive order outlining the importance of adopting a zero-trust cybersecurity approach, yet only 21% of critical infrastructure organizations have adopted such a zero-trust security model.
Zero trust is something security teams have been talking about for a few years. Think about how the "business perimeter" has changed with multiple teams, multiple devices, and multiple locations. Historically, many thought of zero trust as "trust, but verify." The new zero trust: "check, check again, then trust in order to verify." This means validating every single device, every single transaction, every single time.
2. Plan "outside the lines" when it comes to business continuity, disaster recovery, and potential cyberattacks.
As you construct your risk register, there are remote workplace-specific items to keep in mind. Of course, you want to put security measures in place that will minimize downtime for employees. Bolster your identity and access management via methods such as multifactor authentication. Ensure corporate data is encrypted to prevent sensitive data from getting into the wrong hands. Also, consider current world events, global economic forecasts, and even unpredictable natural disasters, and how each may affect your company's operations.
3. Mind the gaps.
The rise of remote work has corresponded with a rise in shadow IT — those devices, software, and services that employees adopt without IT department approval. The number of software-as-a-service (SaaS) apps running on corporate networks averaged three times the number that IT departments were aware of in 2022.
Here's the problem: You can't protect what you can't see. Shadow IT can introduce information security vulnerabilities in the way of data leaks, compliance violations, and more. As you enable your remote workforce to be more flexible in how they work, visibility should be top of mind. This is, of course, in addition to tightening up identity and access management across the board and doubling down on zero-trust policies.
You should be having continuous conversations with stakeholders to stay one step ahead of shadow IT and application sprawl. Consider creating policies that open a dialogue with IT and the rest of the company. These policies could also encourage employees to go to IT if they want to request a new application.
4. Seek the highest common compliance denominator.
The current global data protection landscape is an ever-changing one, with several regulations, compliance initiatives, frameworks, and mandates (GDPR, FIPS, ISO 27001, SOC, FedRAMP, and more). And there are also country-, region-, and state-specific mandates, such as Brazil's General Data Protection Law and the California Consumer Privacy Act (CCPA).
So, how can you ensure your organization is compliant? Look for the highest common denominator across various regulations. Take bits and pieces from different mandates, regulations, and guidelines and wrap them into your own company's unique framework. You may take some regulations from the EU's General Data Protect Regulation (GDPR) that are more stringent, while taking other tougher regulations from Brazil's law. This way, you adhere to the highest levels of data privacy regulations in real time while supporting your global customer base.
A Final Word About Basic IT Hygiene
As you consider the guidelines above, remember this: If you properly patch your machines, keep a close eye on configuration management, and add/remove users in a timely manner, you are mostly there. Even though there will always be new challenges to address (new government mandates, compliance updates, potential security risks), achieving basic IT hygiene is 99% of the game.