Build a Cybersecurity Risk Assessment Process Funnel

by | Nov 2, 2020 | Blogs | 0 comments

Cybersecurity risk assessment process funnel

If you’re the director of IT for your company, you know without a doubt that there are too many systems, applications, and assets to perform risk assessments on. You’re trying to improve your cybersecurity program and reduce risk by implementing a cybersecurity risk assessment program, and you feel overwhelmed. Several issues are facing you.

  1. The sheer number of systems in your environment.
  2. The concern that you don’t have full visibility of all the systems. The inventory management processes have not yet matured to confidently know everything you have.
  3. Deciding on how to group these systems into a process you can systematically approach.
  4. Ingestion of new onboarding systems. The challenges of making people in your company aware they need to tell you about new systems so that you can perform a proper assessment.

Beyond those challenges are even greater hurdles that could undermine the whole process and cause catastrophic failure. Those greater cybersecurity challenges are:

  1. How are you going to document the results of the risk assessments?
  2. Is there an industry best practice to perform these assessments in a repeatable, and predictable way?
  3. How will the results be categorized and ranked?

And finally, the million-dollar question; Who’s going to care about the results? If you perform a cybersecurity risk assessment on the new CRM or Data Warehouse, and you conclude that it deserves a failing grade, what does that mean to the business?

  • Does your risk score justify saying ‘NO’ to the business?
  • Will your executive leadership support you?
  • Will this damage the business relationships you’ve worked so hard to build?
  • Is the culture of the company mature enough to uphold a security standard expected from systems being onboarded?

You’re the kind of leader that knows that you need to do the right thing even if it is overwhelming. Even if those answers haven’t all been figured out yet. And your surely not the kind of leader that is going to give up and not implement this critical cybersecurity process because it’s hard. We want to help you. Here are four steps to help you mature your program by clarifying requirements and defining the scope.

Write a Data Classification Policy

Policies don’t’ change behavior, but if we want to get executive support with what you’re doing we need this. Whenever we ask someone to do something, we need to consider if it’s; A.) A favor – that requires influence. B.) A standard – that’s a company expectation backed by a signature.   Influence is something all great leaders have, and cybersecurity requires more influence than most other positions I know of. But it can’t be wasted. It needs to be focused and purposeful. Unfortunately, influence doesn’t work well to get risk assessments done.  There are too many assessments to complete, in too many places, involving too many people. So, let’s opt for option B. Creating a written standard that is approved by company leadership that states ‘what thou shalt do’. We’re going to write a data classification policy because we need to determine data classification to get the core of risk. Today’s currency is data. Ultimately, it’s the data inside these systems, stored on them, traversing them, that determines the risk of the systems and assets. For example, the CRM system isn’t critical because it’s a customer relationship management platform. It’s risk critical because we allow employees to store confidential information about clients including their contact information that could be considered PII. And if that data was breached it could impact the revenue of the business. So by starting with a data classification policy we get everyone on board with what is ‘sensitive’ and ‘critical ‘ data. This will set the stage for how we decide what to perform a full or partial risk assessment. It will also help us determine how to throttle the risk assessment requirements.

Differentiae ‘Internal’ and ‘External‘ systems

Differentiating internal and external systems will define the scope of what you’re going to perform. It also prevents any misunderstanding of what’s being done as part of your risk assessment initiative. By differentiating you can build a separate process for assessing the external systems. The benefit is that this can greatly reduce the number of systems you need to assess. External systems should be systems ‘owned’ by external parties. Not systems that you own that are outside the building walls. This is key because once we differentiate external, we can then state that answering the risk assessment questions is the responsibility of the system owner (not you). We can complement this external assessment process with a new title of ‘Vendor Risk Assessments’. Then consider the tools and solutions that make this assessment process easier. At the end of the day, a vendor risk assessment process is very different that an internal risk assessment process. Now that we’ve defined internal and external risk assessments, determined a scope, and have an approved policy we can start the next critical step in our program.

Make business owners aware

The maturity of your cybersecurity program used to be determined by how secure you made it. The maturity of your program today is determined by how well you identify and communicate risk. This is called visibility. Your leadership goal should be to identify risk and clarify that risk to the person owning the risk. The person that is responsible for introducing that risk to the business. Once they see and understand it, you can offer to advise them on how to handle that risk. As we all know, and we’ve talked about in other articles, how we handle risk is called ‘Risk Treatment’. There are four ways to handle risk:

  1. Remediate – fix the core risk so that it no longer exists.
  2. Mitigate – implement other things so that the risk cannot be exploited.
  3. Transfer – move the risk to someone else, like an insurance provider.
  4. Accept – determine that the cost outweighs the risk and they (not you) accept it.

 

Build your risk assessment process

This is too big of a topic to get all in one article, so we’re going dive into this throughout the next several articles. But for now, let’s give a high-level summary.

cybersecurity risk assessment funnel

Step #1. Determine the data classification of the system.

Ask the system owner to read the data classification policy and tell you what classification of data is in this system.  You want their response in writing. We’re not trying to be a jerk here, but we are enforcing a process that makes people accountable for risk. This step in the process helps begin the journey, that we as cybersecurity leaders truly want, of shifting risk away from the sole responsibly for the technology department onto the shared responsibility of the owners bringing that risk into the business. It starts here with them attesting to the level of data. This is probably the first time they’ve considered the burden of what they are doing. Up until now, they were focused on other business drivers like;

  1. Increased revenue
  2. Lower cost of operations
  3. Hero status of doing something cool

 

Step #2. Identify Threats

Again, we’ll have a whole separate post on how to do this step. For now, think about how not all assets have the same threats. Not all industries have the same threats. The determination of risk is dependent on determining threats. This a foundational risk assessment step. How can you create a process, and or template, to consistently and repeatability, identify the threats to systems being risk assessed?

Step #3. Assess vulnerabilities

Again, this is a core principle of any risk assessment process. With the help of a basic vulnerability assessment tool, you can often quickly perform this step and show the results. This is probably the easiest step in this process.

Step #4. Determine the impact and likelihood

It’s key to include the business system owners in this step. The impact of a system outage can only be determined by the business process owner. This should not be done by cybersecurity or the director of IT. Your job is to create an ‘impact chart’ that helps them determine the severity. Then ask them to review and tell you what the impact is. This again helps drive the security awareness we want as a culture change. It also shows ownership. Finally, it requires their input to finish any risk assessment. At some point, you may want to measure and report on how many assessments were attempted and how many did not finish. This failure can be transferred back to the business.

Step #5. Prioritize

From all these steps we’ve accomplished, we should now have a risk ranking of some kind. The risk ranking can determine and estimate how much time it takes for our staff to perform a proper risk assessment. We can start to measure the average hourly investment of our staff and the total time from ingestion to finish (because remember, some of this is dependent on the business owners). With that estimate, we can propose a risk level of systems that you will perform a fully comprehensive risk assessment on. That level can be supported by your proposal based on your current staff resources. Often when I consult with a company, they’re just getting started formalizing their risk, assessment process. It’s overwhelming. The best thing we can do is just get the ball rolling with a statement like, ‘Comprehensive cybersecurity risk assessments will be performed on all CRITICALLY ranked systems’. This statement says a lot more than what is written. What is says is that you’re not going to perform a full risk assessment on 80% of the systems because they are NOT critical and not meet the risk ranking that has been deemed appropriate by executive leadership to spend company resources on. The key point here is that you can successfully implement a risk assessment program without performing comprehensive reviews on every system by creating a statement scope around risk rankings.

Conclusion

There is a lot more to cover on how to build a successful cybersecurity risk assessment process. Follow along by either coming back and visiting our blog. Or easier, subscribe to our newsletter below where we send out monthly emails with a list of published articles, interviews, and cybersecurity table-top discussions. We’re going to deep-dive into each one of these risk assessment areas and break down what it takes to mature your program. Do you have any wisdom you can add? We believe in the power of community, so comment below or ping me so we can talk and provide your interview as part of this series. http://https://www.youtube.com/watch?v=9TMgP6WaACc

 

Next

Part #2 – People

Cybersecurity Risk Assessment Funnel – (part #2) People

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!