Risk Management

 

HUGE thanks to the fantastic panel and to SideChannel that partnered with us to deliver this new back-to-the-basics series! This was such a tremendous public service. Fighting cybercrime is a team effort, so watch the webinar and join us. I can promise you will never have a dull moment 🙂

You can watch the entire 1-hour webinar above or read the short write-up below if you don’t have time to watch the whole recording.


Let's start.

What Is IT Risk Management And Why We Think It Won’t Happen To Us

I just can't wrap my head around this. You leave your job, start a business, put your heart out, and basically are everything at the beginning - the product, accountant, marketer, sales, and the bank. It's a roller coaster, and you and your family are all in!

And then you lose it all because you didn't freaking enable Multi-factor Authentication, or you used a simple password! 

Why do so many people overlook the risk of a security breach and have the mindset that "it won't happen to them."


It’s hard to quantify Risk. Risk Management  is about behavior. I really liked the example Igor Voluvich shared with us. Igor rides motorcycles. He said that some people take their helmets off when they cross the border into Florida because no law requires a helmet in Florida. When asked why? They answer that they want to feel the freedom and the wind blowing on their face. But in the unfortunate event of an accident, they may feel the concrete on their face. You see, Risk Management is subjective, people have different attitudes towards risk, some are risk-averse, some are risk takers, and some don’t even acknowledge the risk.

Also, many small businesses don’t realize that because of this mindset, criminals use them as a gateway to their bigger clients. 

To overcome this challenge, people need to be educated about Risk Management, because if they don’t even acknowledge the risk, they can’t do anything about it. 

What Is Risk Acceptance And Who Gets To Decide What Risk Is Acceptable And What’s Not?

Because people have different risk tolerance, we can’t leave it to each their own when it comes to risk assessment. Risk is a business decision. The company’s senior executives or those who own the business should be accepting or rejecting risk and everyone else should follow. 

However, defining the risk tolerance isn’t enough. You need to communicate with the team what is acceptable.  For example, through Security Awareness training. It’s the companies responsibility that people understand the risk and what to do about it.

How do you prioritize risk?

Risk assessment and prioritization starts with a candid dialog and information gathering. You just can't protect everything the same way, you’ll get overwhelmed. One example is to ask, what can a bad guy do to the company if they had full access to the network for 24 hours. How will they take down the company? What are the things that will create the most significant impact on the business? Before defining risk tolerance, you need to understand what you are trying to defend. And to do that, you need to know how the business works.

Most importantly, how does the company make money? You can’t build a threat model without understanding the business model. If you don’t know how a business makes money you can’t protect its cash flow.

Once you understand that, you can start protecting the biggest moneymaker component. Money doesn't fall out of the sky. There are a set of systems, people, and processes, and you need to protect them. If it's People, look at those with the most access, like Admins or Key People. Also, check that the processes work the way they should work and that no one can breach them. 

Who is Responsible for Cyber Security Risk?

Let's start with the short answer - it's everyone's responsibility. No different than physical security. You wouldn’t go and put your finger into a machine you are not supposed to even get close to. The company should place appropriate signage, but you still have a personal responsibility for not getting hurt. The same goes with cyber security. 

Cyber security isn't a silo. It's another dimension of the business. Sometimes it's perceived as friction, but it's an enabler. Security is like car brakes. They were invented as a solution for going fast. It's the ability to stop quickly that allows us to travel fast. Without brakes, we would all be driving very slowly.

Security is part of every aspect of the business. It needs to be integrated into every part of the business. 


Can You Solve Risk with a Product?

Short answer - NO. However… It can help with efficiency and streamlining processes. A security questionnaire won’t help if people answer what they think you want to hear instead of what keeps them up at night. For example, suppose transaction velocity has the most significant impact on revenues. In that case, a security questionnaire that focuses just on protecting data may not be enough.  

You can buy all the Risk Management Solutions in the market, but it’s useless if you don’t know what you want to solve. The product needs to be configured in a way that makes it actionable. Risk Assessment Tools help with efficiency, but you need oversight and governance. 


Is Compliance Considered Risk Management?

YES, if complying with regulations acts like a door opener to a revenue stream. Compliance is not a stand-alone thing, it’s an enabler for the business. It’s like your “hunting license” in regulated markets. 

For example, If you fail a government audit, you may not be able to work with the government. Once again it’s a business decision. If 10% of your business comes from government contracts, then not complying means you give up the 10%. It’s up to you to decide. 


How Do You Present Risk To The Board?

What's your security program based on? What Risk Management Framework are you using? You can't go deep diving into technicalities when talking to the board. The board doesn't understand vulnerability management, password complexity, ect. They are looking at the bigger picture. How does security map to business and compliance objectives? Many Risk Management and Security frameworks have mapped security controls for you. One of them is NIST, but there are others. Pick a Risk Management Framework and stick to it all the way through. This will help to show progress.

You can even start assessing risk with something as simple as Red, Yellow, Green.

 

Probability  X Impact  = Risk

 

If something has a High (Red) Probability and High (Red) Impact, then it's High (Red) Risk.

 

That's easy to communicate. Now you can place controls that will reduce the risk. 


How Do You Communicate Risk To All Employees?

You need to have an information policy that people will understand and remember. If you ask people to read, make it no more than 3 pages and in human-readable language. If you have a security awareness training program, make sure it’s short and to the point - like we do at Wizer. Otherwise, people will start zoning out.

People are the most important. Controls won’t work if users click without thinking. Users have to know they are part of the overall security program. But the controls should act like guardrails and not spikes on the road. You want to get them back on track, not stop them from being able to do their job.  

Also, the reality is that you can’t defend against everything. It’s inevitable that someone will get in, and therefore you need an incident and response plan. And you want people to know how to report if they spot anything strange.


How Do You Know Your Risk Management Program Works?

You test it! You rely on telemetry. You can always find some data. Test it like a bad guy will attack. Not just the system but the program. Do a realistic pen test. Impersonate the attacker. 

Performing a risk assessment once a year is never going to work. The business is dynamic. What was good yesterday may not be good today.

And if you did accept the risk or what is referred to as a Risk Acceptance Letter (RAL), don’t forget about it. You need to go back and ask yourself, do I still accept this risk?

Thank you to our esteemed panelists:

  • Michael Waters - Chief Information Security Officer, vCISO, CMMC Registered Practitioner

  • Brian Haugli - Managing Partner, SideChannel | CEO, RealCISO.io | Host of #CISOlife | Published Author, "Mastering the Fundamentals Using the NIST Cybersecurity Framework"

  • Tony Faria - Fortune 500 CISO | Financial Service | Security Governance | Cyber Risk | IT Security | Security Operations | Regulatory Compliance

     

  • Igor Volovich - Security Strategist · CISO · Security Shark Tank™ Winner · Advisor