Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/19/2020
02:00 PM
Andrew Lowe
Andrew Lowe
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Yellow Brick Road to Risk Management

Beginning the journey to risk management can be daunting, but protecting your business is worth every step.

Most of us have seen the movie or read the book The Wizard of Oz. Dorothy Gale and her pals faced — and overcame — huge obstacles as they followed the yellow brick road toward the Emerald City. In today's fast-paced world, organizations face a variety of obstacles as they try to grow their businesses. And they share a major hurdle with Dorothy on their way to reaching this goal: risk management.

Risk is inevitable, and organizations must have a way to manage it — because risk that goes unmanaged can turn into vulnerabilities that can be exploited by bad actors. And this can result in loss — of reputation, finances, and confidence from clients and partners. This is where risk management, often with a particular framework you follow to achieve it — like the yellow brick road — comes into play.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Risk Management Defined
Risk management is defined as the process of identifying, assessing, and controlling threats to an organization. You can manage your organization's risk, either eliminating or reducing its severity, by putting controls in place. These controls are normally guided by a framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the International Organization of Standardization's (ISO) 31000 Risk Management series.

A big part of risk management is protecting your company's and your customers' privacy and sensitive data. And these requirements are not new. For example, the first version of NIST Special Publication 800-53, which covers the steps in the RMF that address security and privacy control selection for federal information systems, was released in 2005; 15 years later, it's in its fifth revision. Other compliance requirements, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) released in 2018, and Cybersecurity Maturity Model Certification (CMMC) released in 2020, are increasing the focus on managing these types of privacy and data risks and the need for frameworks to help with that. Now, as a result of the global COVID-19 pandemic, organizations have to adopt some kind of risk management strategy and framework to help them cope with new operational processes, such as staff working remotely on unprotected home networks.

What Standards and Frameworks Are Right for Your Business?
Organizations can choose from a variety of risk management standards and frameworks. Which you choose depends on several variables unique to your organization: budget, current processes in place, and needs. Not implementing the proper one could lead to losing a contract or having to pay a regulatory fine. For example, businesses seeking Department of Defense contracts that process sensitive data will be required to implement Cybersecurity Maturity Model Certification. US companies wishing to partner with Japanese organizations must have ISO 27001 accreditation, an information security management standard that is different from ISO 31000.    

If your organization doesn't have a regulatory body forcing the issue, you should still consider putting a framework in place to better manage risks and help protect your business from hackers and other cybersecurity threats. These situations can and do have real-world adverse business outcomes, including taking down your e-commerce business or confiscating all of your data through a ransomware attack.

The first step to take when embarking down the road to risk management is to pick a framework that complements rather than disrupts your existing practices and meets your business needs. Here are a few of the most common frameworks and the types of organizations that typically use them.

Framework

Use case

Risk Management Framework

Federal agencies

Cybersecurity Framework

Nongovernmental organizations 

Federal Risk and Authorization Management Program (FedRAMP)

Cloud services providers

ISO 27001

Private industry

NIST Privacy Framework

All

Next Steps
A variety of tools are out there to help you implement the best framework and risk management strategy for your business needs. Most organizations use a third-party tool or resource, such as governance, risk, and compliance (GRC) software that can be aligned with the framework you choose or professional services that can help you navigate the different requirements. Some GRC tools are managed services that combine a software as a solution with expert staff that handle the process. These approaches can offer you visibility and control over your risk decisions and build out the risk management and system security programs aligned to your business strategy.

Beginning the journey down the yellow brick road of risk management can be daunting. But protecting your business is worth every step of the way. 

Andrew Lowe serves as Senior Information Security Consultant for TalaTek, an integrated risk management firm in Northern Virginia. He has more than 10 years of information security experience, including risk management and compliance program development and implementation, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Moderator
11/19/2020 | 9:09:23 PM
Risk Transfer & Risk Management
One portion of a comprehensive Risk Management program that you are forgetting is Risk Transfer. Risk Transfer is just as vital to the success of a Risk Management program as the implementation of any software platform or roll-out of a framework. 

It is impossible to remove all of the risks in any activity without completely avoiding it however the risk can be managed by mitigating the risk where possible and transferring the risk where it cannot be mitigated or avoided. The primary way to transfer that risk is through an insurance policy designed to cover that exposure.

Utilizing a comprehensive insurance program (Cyber, CGL, E&O, etc...) to transfer the risk is just as important as any piece of software.

 
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
CVE-2020-29534
PUBLISHED: 2020-12-03
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.
CVE-2020-17527
PUBLISHED: 2020-12-03
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this woul...
CVE-2020-23736
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in DaDa accelerator 5.6.19.816,, attackers can use constructed programs to cause computer crashes (BSOD).
CVE-2020-23738
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in Advanced SystemCare 13 PRO 13.5.0.174. Attackers can use a constructed program to cause a computer crash (BSOD)