News outlets across the world report that organizations of all types continue to suffer grave impacts from cyberthreats and incidents. Those organizations that have not yet experienced such an event find themselves wondering if the latest ransomware attack or personally identifiable information (PII) data breach could impact their enterprise.
A threat is not a risk. Just because something can happen does not mean it will happen. Risk is dependent on the vulnerability of the enterprise to the effect of a particular threat or set of conditions. Perhaps as a result of the constant chatter of news outlets reporting cyberthreats that have materialized as realized risk to multiple organizations, a largely reactive system of risk management has been created. True risk-based planning for relevant impact scenarios or selection of controls is often unrewarded or unnoticed. However, it is the job of those tasked with risk management to look past the “cyberevent of the week” and remain focused on managing the risk with the highest impact should it actually materialize. This is where risk prioritization can help.
The Getting Started With Risk Management white paper, available from ISACA®, includes guidance for risk identification, analysis, evaluation and prioritization, reporting on risk, monitoring risk under management, and improving the risk management process. The following tips help prioritize criteria to consider when determining which risk to address first, second, third and so on:
- Focus on the organization’s mission and strategic objectives as the starting point to determine which risk, if realized, would have the greatest impact on the enterprise. Brainstorm until a robust set of plausible and relevant scenarios emerge considering the organization’s business, mission, level of response capability and dependence on third parties.
- Define the enterprise’s most important products and services and the underlying technology that supports the delivery of those product or services. Looking at a technology asset in the context of the mission and strategy helps determine the criticality of an asset. The criticality of an asset is a key criterion to determine which risk to address first.
- From the list of enterprise products and services, make a list of vendors, service providers, suppliers or third parties that provide some or all of the resources needed to deliver the product or service. Looking at service providers and vendors in the context of mission and strategy helps determine the criticality of third parties and, subsequently, helps prioritize the risk.
- Perform research and ask subject matter experts inside and outside the organization to help determine the probability or likelihood of a certain scenario materializing. Some threats are not relevant to the organization or the organization may not possess the vulnerability that allows the threat to materialize.
- Focus on the risk with the most potential impact on the enterprise. Which risk, if realized, would have the greatest impact on the ability of the organization to continue to deliver its products and services?
- Ask the senior leaders or board of directors to vote on which scenarios would have potentially the greatest impact on the enterprise. Their answers may be surprising and may also provide insight to help refine both risk appetite and risk tolerance statements.
- Assess the enterprise’s capability to detect and respond to a given scenario or set of scenarios. Some organizations fall below the cybersecurity poverty line and are not able to adequately respond to one or more scenarios. This is a real risk to many organizations, especially those that continue to operate in deep technical debt. Enterprise senior leadership must be aware of this situation if relevant so they can decide the best course of action.
The main drivers for risk management include the need to improve decision-making in enterprises, align risk management resources to address the risk with the greatest potential impact on the enterprise, and build the capabilities and resources necessary to detect and respond to realized risk.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.