Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/19/2020
02:00 PM
Andrew Lowe
Andrew Lowe
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Yellow Brick Road to Risk Management

Beginning the journey to risk management can be daunting, but protecting your business is worth every step.

Most of us have seen the movie or read the book The Wizard of Oz. Dorothy Gale and her pals faced — and overcame — huge obstacles as they followed the yellow brick road toward the Emerald City. In today's fast-paced world, organizations face a variety of obstacles as they try to grow their businesses. And they share a major hurdle with Dorothy on their way to reaching this goal: risk management.

Risk is inevitable, and organizations must have a way to manage it — because risk that goes unmanaged can turn into vulnerabilities that can be exploited by bad actors. And this can result in loss — of reputation, finances, and confidence from clients and partners. This is where risk management, often with a particular framework you follow to achieve it — like the yellow brick road — comes into play.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Risk Management Defined
Risk management is defined as the process of identifying, assessing, and controlling threats to an organization. You can manage your organization's risk, either eliminating or reducing its severity, by putting controls in place. These controls are normally guided by a framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the International Organization of Standardization's (ISO) 31000 Risk Management series.

A big part of risk management is protecting your company's and your customers' privacy and sensitive data. And these requirements are not new. For example, the first version of NIST Special Publication 800-53, which covers the steps in the RMF that address security and privacy control selection for federal information systems, was released in 2005; 15 years later, it's in its fifth revision. Other compliance requirements, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) released in 2018, and Cybersecurity Maturity Model Certification (CMMC) released in 2020, are increasing the focus on managing these types of privacy and data risks and the need for frameworks to help with that. Now, as a result of the global COVID-19 pandemic, organizations have to adopt some kind of risk management strategy and framework to help them cope with new operational processes, such as staff working remotely on unprotected home networks.

What Standards and Frameworks Are Right for Your Business?
Organizations can choose from a variety of risk management standards and frameworks. Which you choose depends on several variables unique to your organization: budget, current processes in place, and needs. Not implementing the proper one could lead to losing a contract or having to pay a regulatory fine. For example, businesses seeking Department of Defense contracts that process sensitive data will be required to implement Cybersecurity Maturity Model Certification. US companies wishing to partner with Japanese organizations must have ISO 27001 accreditation, an information security management standard that is different from ISO 31000.    

If your organization doesn't have a regulatory body forcing the issue, you should still consider putting a framework in place to better manage risks and help protect your business from hackers and other cybersecurity threats. These situations can and do have real-world adverse business outcomes, including taking down your e-commerce business or confiscating all of your data through a ransomware attack.

The first step to take when embarking down the road to risk management is to pick a framework that complements rather than disrupts your existing practices and meets your business needs. Here are a few of the most common frameworks and the types of organizations that typically use them.

Framework

Use case

Risk Management Framework

Federal agencies

Cybersecurity Framework

Nongovernmental organizations 

Federal Risk and Authorization Management Program (FedRAMP)

Cloud services providers

ISO 27001

Private industry

NIST Privacy Framework

All

Next Steps
A variety of tools are out there to help you implement the best framework and risk management strategy for your business needs. Most organizations use a third-party tool or resource, such as governance, risk, and compliance (GRC) software that can be aligned with the framework you choose or professional services that can help you navigate the different requirements. Some GRC tools are managed services that combine a software as a solution with expert staff that handle the process. These approaches can offer you visibility and control over your risk decisions and build out the risk management and system security programs aligned to your business strategy.

Beginning the journey down the yellow brick road of risk management can be daunting. But protecting your business is worth every step of the way. 

Andrew Lowe serves as Senior Information Security Consultant for TalaTek, an integrated risk management firm in Northern Virginia. He has more than 10 years of information security experience, including risk management and compliance program development and implementation, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lowebrew
50%
50%
Lowebrew,
User Rank: Author
1/6/2021 | 4:46:26 PM
Re: Risk Transfer & Risk Management
Hey mcavanaugh1,

Thank you for continuing the conversation!

Risk transfer for sure is an important part of a comprehensive management program, along with being an important risk management method. Other important risk management methods include risk avoidance, risk acceptance, risk mitigation, and other risk management methods, which all can fit into the puzzle we have to piece together to build a risk management program to manage risk. Risk is never possible to completely eliminate, no matter what framework or software is implemented/deployed, but we have the tools and methods to make that risk footprint smaller.

Risk transfer utilizing a comprehensive insurance program is a very powerful tool, if your budget allows it. Risk transfer should be considered, based on the risk tolerance of your organization, severity of the risk itself, and the cost of damage that can occur if the risk is not managed properly. Along with insurance programs, you can also transfer risk by utilizing cloud to take on the technical and environmental risk such as having technical experts in a protected enviroment that has failsafes in place for your data, and aren't disrupted by mother nature due to database placement of the cloud providers' facilities.

Thank you and Happy New Year!
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Moderator
11/19/2020 | 9:09:23 PM
Risk Transfer & Risk Management
One portion of a comprehensive Risk Management program that you are forgetting is Risk Transfer. Risk Transfer is just as vital to the success of a Risk Management program as the implementation of any software platform or roll-out of a framework. 

It is impossible to remove all of the risks in any activity without completely avoiding it however the risk can be managed by mitigating the risk where possible and transferring the risk where it cannot be mitigated or avoided. The primary way to transfer that risk is through an insurance policy designed to cover that exposure.

Utilizing a comprehensive insurance program (Cyber, CGL, E&O, etc...) to transfer the risk is just as important as any piece of software.

 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...