Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Andrew Lowe
Andrew Lowe
Connect Directly
E-Mail vvv

The Yellow Brick Road to Risk Management

Beginning the journey to risk management can be daunting, but protecting your business is worth every step.

Most of us have seen the movie or read the book The Wizard of Oz. Dorothy Gale and her pals faced — and overcame — huge obstacles as they followed the yellow brick road toward the Emerald City. In today's fast-paced world, organizations face a variety of obstacles as they try to grow their businesses. And they share a major hurdle with Dorothy on their way to reaching this goal: risk management.

Risk is inevitable, and organizations must have a way to manage it — because risk that goes unmanaged can turn into vulnerabilities that can be exploited by bad actors. And this can result in loss — of reputation, finances, and confidence from clients and partners. This is where risk management, often with a particular framework you follow to achieve it — like the yellow brick road — comes into play.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Risk Management Defined
Risk management is defined as the process of identifying, assessing, and controlling threats to an organization. You can manage your organization's risk, either eliminating or reducing its severity, by putting controls in place. These controls are normally guided by a framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the International Organization of Standardization's (ISO) 31000 Risk Management series.

A big part of risk management is protecting your company's and your customers' privacy and sensitive data. And these requirements are not new. For example, the first version of NIST Special Publication 800-53, which covers the steps in the RMF that address security and privacy control selection for federal information systems, was released in 2005; 15 years later, it's in its fifth revision. Other compliance requirements, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) released in 2018, and Cybersecurity Maturity Model Certification (CMMC) released in 2020, are increasing the focus on managing these types of privacy and data risks and the need for frameworks to help with that. Now, as a result of the global COVID-19 pandemic, organizations have to adopt some kind of risk management strategy and framework to help them cope with new operational processes, such as staff working remotely on unprotected home networks.

What Standards and Frameworks Are Right for Your Business?
Organizations can choose from a variety of risk management standards and frameworks. Which you choose depends on several variables unique to your organization: budget, current processes in place, and needs. Not implementing the proper one could lead to losing a contract or having to pay a regulatory fine. For example, businesses seeking Department of Defense contracts that process sensitive data will be required to implement Cybersecurity Maturity Model Certification. US companies wishing to partner with Japanese organizations must have ISO 27001 accreditation, an information security management standard that is different from ISO 31000.    

If your organization doesn't have a regulatory body forcing the issue, you should still consider putting a framework in place to better manage risks and help protect your business from hackers and other cybersecurity threats. These situations can and do have real-world adverse business outcomes, including taking down your e-commerce business or confiscating all of your data through a ransomware attack.

The first step to take when embarking down the road to risk management is to pick a framework that complements rather than disrupts your existing practices and meets your business needs. Here are a few of the most common frameworks and the types of organizations that typically use them.


Use case

Risk Management Framework

Federal agencies

Cybersecurity Framework

Nongovernmental organizations 

Federal Risk and Authorization Management Program (FedRAMP)

Cloud services providers

ISO 27001

Private industry

NIST Privacy Framework


Next Steps
A variety of tools are out there to help you implement the best framework and risk management strategy for your business needs. Most organizations use a third-party tool or resource, such as governance, risk, and compliance (GRC) software that can be aligned with the framework you choose or professional services that can help you navigate the different requirements. Some GRC tools are managed services that combine a software as a solution with expert staff that handle the process. These approaches can offer you visibility and control over your risk decisions and build out the risk management and system security programs aligned to your business strategy.

Beginning the journey down the yellow brick road of risk management can be daunting. But protecting your business is worth every step of the way. 

Andrew Lowe serves as Senior Information Security Consultant for TalaTek, an integrated risk management firm in Northern Virginia. He has more than 10 years of information security experience, including risk management and compliance program development and implementation, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/6/2021 | 4:46:26 PM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Moderator
11/19/2020 | 9:09:23 PM
Risk Transfer & Risk Management
One portion of a comprehensive Risk Management program that you are forgetting is Risk Transfer. Risk Transfer is just as vital to the success of a Risk Management program as the implementation of any software platform or roll-out of a framework. 

It is impossible to remove all of the risks in any activity without completely avoiding it however the risk can be managed by mitigating the risk where possible and transferring the risk where it cannot be mitigated or avoided. The primary way to transfer that risk is through an insurance policy designed to cover that exposure.

Utilizing a comprehensive insurance program (Cyber, CGL, E&O, etc...) to transfer the risk is just as important as any piece of software.

When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...