Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/19/2020
02:00 PM
Andrew Lowe
Andrew Lowe
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Yellow Brick Road to Risk Management

Beginning the journey to risk management can be daunting, but protecting your business is worth every step.

Most of us have seen the movie or read the book The Wizard of Oz. Dorothy Gale and her pals faced — and overcame — huge obstacles as they followed the yellow brick road toward the Emerald City. In today's fast-paced world, organizations face a variety of obstacles as they try to grow their businesses. And they share a major hurdle with Dorothy on their way to reaching this goal: risk management.

Risk is inevitable, and organizations must have a way to manage it — because risk that goes unmanaged can turn into vulnerabilities that can be exploited by bad actors. And this can result in loss — of reputation, finances, and confidence from clients and partners. This is where risk management, often with a particular framework you follow to achieve it — like the yellow brick road — comes into play.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Risk Management Defined
Risk management is defined as the process of identifying, assessing, and controlling threats to an organization. You can manage your organization's risk, either eliminating or reducing its severity, by putting controls in place. These controls are normally guided by a framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the International Organization of Standardization's (ISO) 31000 Risk Management series.

A big part of risk management is protecting your company's and your customers' privacy and sensitive data. And these requirements are not new. For example, the first version of NIST Special Publication 800-53, which covers the steps in the RMF that address security and privacy control selection for federal information systems, was released in 2005; 15 years later, it's in its fifth revision. Other compliance requirements, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) released in 2018, and Cybersecurity Maturity Model Certification (CMMC) released in 2020, are increasing the focus on managing these types of privacy and data risks and the need for frameworks to help with that. Now, as a result of the global COVID-19 pandemic, organizations have to adopt some kind of risk management strategy and framework to help them cope with new operational processes, such as staff working remotely on unprotected home networks.

What Standards and Frameworks Are Right for Your Business?
Organizations can choose from a variety of risk management standards and frameworks. Which you choose depends on several variables unique to your organization: budget, current processes in place, and needs. Not implementing the proper one could lead to losing a contract or having to pay a regulatory fine. For example, businesses seeking Department of Defense contracts that process sensitive data will be required to implement Cybersecurity Maturity Model Certification. US companies wishing to partner with Japanese organizations must have ISO 27001 accreditation, an information security management standard that is different from ISO 31000.    

If your organization doesn't have a regulatory body forcing the issue, you should still consider putting a framework in place to better manage risks and help protect your business from hackers and other cybersecurity threats. These situations can and do have real-world adverse business outcomes, including taking down your e-commerce business or confiscating all of your data through a ransomware attack.

The first step to take when embarking down the road to risk management is to pick a framework that complements rather than disrupts your existing practices and meets your business needs. Here are a few of the most common frameworks and the types of organizations that typically use them.

Framework

Use case

Risk Management Framework

Federal agencies

Cybersecurity Framework

Nongovernmental organizations 

Federal Risk and Authorization Management Program (FedRAMP)

Cloud services providers

ISO 27001

Private industry

NIST Privacy Framework

All

Next Steps
A variety of tools are out there to help you implement the best framework and risk management strategy for your business needs. Most organizations use a third-party tool or resource, such as governance, risk, and compliance (GRC) software that can be aligned with the framework you choose or professional services that can help you navigate the different requirements. Some GRC tools are managed services that combine a software as a solution with expert staff that handle the process. These approaches can offer you visibility and control over your risk decisions and build out the risk management and system security programs aligned to your business strategy.

Beginning the journey down the yellow brick road of risk management can be daunting. But protecting your business is worth every step of the way. 

Andrew Lowe serves as Senior Information Security Consultant for TalaTek, an integrated risk management firm in Northern Virginia. He has more than 10 years of information security experience, including risk management and compliance program development and implementation, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lowebrew
50%
50%
Lowebrew,
User Rank: Author
1/6/2021 | 4:46:26 PM
Re: Risk Transfer & Risk Management
Hey mcavanaugh1,

Thank you for continuing the conversation!

Risk transfer for sure is an important part of a comprehensive management program, along with being an important risk management method. Other important risk management methods include risk avoidance, risk acceptance, risk mitigation, and other risk management methods, which all can fit into the puzzle we have to piece together to build a risk management program to manage risk. Risk is never possible to completely eliminate, no matter what framework or software is implemented/deployed, but we have the tools and methods to make that risk footprint smaller.

Risk transfer utilizing a comprehensive insurance program is a very powerful tool, if your budget allows it. Risk transfer should be considered, based on the risk tolerance of your organization, severity of the risk itself, and the cost of damage that can occur if the risk is not managed properly. Along with insurance programs, you can also transfer risk by utilizing cloud to take on the technical and environmental risk such as having technical experts in a protected enviroment that has failsafes in place for your data, and aren't disrupted by mother nature due to database placement of the cloud providers' facilities.

Thank you and Happy New Year!
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Moderator
11/19/2020 | 9:09:23 PM
Risk Transfer & Risk Management
One portion of a comprehensive Risk Management program that you are forgetting is Risk Transfer. Risk Transfer is just as vital to the success of a Risk Management program as the implementation of any software platform or roll-out of a framework. 

It is impossible to remove all of the risks in any activity without completely avoiding it however the risk can be managed by mitigating the risk where possible and transferring the risk where it cannot be mitigated or avoided. The primary way to transfer that risk is through an insurance policy designed to cover that exposure.

Utilizing a comprehensive insurance program (Cyber, CGL, E&O, etc...) to transfer the risk is just as important as any piece of software.

 
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.