I mentioned in yesterday’s blog how AI is one the biggest
buzzwords in the Cyber world today. But
there are many others, and one of them, which quite honestly, I get tired of
hearing about all the time is that of risk.
You hear it all the time, and I have even been asked what is
risk? Well, it can have different
meanings for different people. A lot of
the definition really depends upon on how much of a gamble you are willing to
take if you are hit by a security breach.
You can Google this term, but in my books, I define risk as
how much of a financial loss you can tolerate before the real pain hits the bottom
line. Of course, no business wants to
lose money on anything, but it is a part of what capitalism is all about. You won’t gain anything until you risk. But in Cybersecurity, we are all prone to becoming
victims of an attack.
This is where the monetary part plays a key role. For example, are your bank coffers large
enough that you can sustain some downtime for a little while? Or are you an SMB that after one day, you
could go out of business.
That is what you need to figure out. Obviously, common thinking dictates that a
business would want to mitigate that risk as much as possible. But believe it or not, there are plenty of
them out there who feel that they have a much bigger appetite for this.
Before you get into any component of Cybersecurity, it if
first very important to conduct what is known as a “Risk Assessment Study”. Essentially, this is where you are grouping
all of your assets, both digital and physical, and examining just how prone
they are to a security breach.
Very commonly, an IT Security team would make use of a categorization
scale, such as 1 – 10, where “1” would have the least amount of vulnerability,
and “10” would have the most.
But depending on the size of your business, and what industry
you are in, conducting a Risk Assessment Study can actually be quite a complex undertaking. In order to make sure that you are doing
right from the get go, it is wise you a Cyber vendor who has extensive
experience in doing this to help you out.
But if you want to strike it out on your own, there are
plenty of templates that you can use for free on the Internet. Some of the most
reliable ones to are those from NIST and CISA.
In this regard, the following are some tips that you use to conduct your
study:
1)
Use a hybrid approach:
I have been asked in the past, what
approach is better to use? A quantitative
or a qualitative one? Once again, a lot
depends upon what assets you have.
Although I would err more towards the quantitative approach at first because
numerical values are easier to understand, you really need to take into account
both. This is the only way to get a true
sense as to what you risk posture is, and how much of it you can actually tolerate. That is what I mean by this “hybrid approach.”
2)
Need to get all members on board:
Conducting a Risk Assessment is not
all about the IT Department. You probably
have others as well, and the input that they provide to you is extremely important
in order to calculate your overall risk score.
But, getting other departments involved is by no means an easy task to
do, because they probably don’t understand what the real meaning behind risk
is, and how it can also affect their jobs.
Rather than spending hours teaching the importance of it, perhaps you can
use the concepts of gamification and even use a rewards system to get them involved
to provide their needed input. In other
words, it should not all be up to the IT Security team to do this. Each and every employee in your
business has a stake in this.
3)
Look at impact also:
As I mentioned previously, one of
the primary goals of a Risk Assessment Study is to see how vulnerable your
assets are. But there is also another
key area that you need to factor in as well.
And that is “Impact”. For
example, if your database server is ranked as being vulnerable, you also need
to assess as to what the impact will be if it is indeed targeted and breached. What are the far-reaching implications of
this? Who will be affected? Customers?
Employees? Key Stakeholders? So the equation here is that your overall risk posture
will be a culmination of Vulnerability + Risk Impact.
4)
Keep your Study updated:
Your will probably want to run your
first Risk Assessment manually. Although
it will be a pain to do, at least you will have a firm understanding of what is
happening. But doing this is not a one-time
deal. Your Risk Assessment Study needs
to be updated as much as possible, preferably on a real-time basis. But this does not mean you and your team have
to do it manually all the time. Given the
advances in AI and ML, you can these updates done on an automated basis, and you
can even see everything in one central location.
My Thoughts On This:
If your company is new to Cybersecurity, and you want to get
started with conducting your first Risk Assessment Study, the following,
recommended frameworks you can use (and for free) can be seen at the links
below:
https://www.darkreading.com/risk/how-to-choose-the-right-cybersecurity-framework
But before you embark on all of this, you must first have an
understanding of what risk is all about.
I have actually written and published a book on this some time ago, and
you can see it here at this link:
https://www.routledge.com/Assessing-and-Insuring-Cybersecurity-Risk/Das/p/book/9780367903077
No comments:
Post a Comment