We all live in a world full of “what ifs.” In data protection, the “what ifs” of data security control effectiveness can drastically change in a spur of the moment. If a malicious actor finds a zero-day exploit or even a previously unknown vulnerability, he/she can cause a domino effect data breach that cuts across your entire IT supply chain.
The Risk Management Process
Risk management is simply the process of shifting from just risk identification to risk analysis. Similarly, it involves establishing foolproof risk mitigation strategies. In its purest form, the risk management process entails making lots of lists. It starts with the risk assessment process, which involves employing a holistic view when it comes to your data storage, transmission, and sharing systems. You also need to evaluate the potential risks to the accessibility, confidentiality, and integrity of that data.
Once you have listed down possible locations where your data can be accessed, it is advisable that you make another list ranking the significance of that information as well as incorporating a review of the possibility of your data getting compromised. This second list should similarly be used to come up with a third list, which explains whether or not you have plans to accept, mitigate, transfer or even refuse the risk. Nevertheless, you must document your reasoning to be in support of those decisions and whatever steps that you intend to take to ensure that your choices are followed through.
Analyzing Potential Impacts of Risk Events
Within the information security context, there are several categories of risk. You should use information of the likeliest events and statistics that are in support of data breach costs to foresee risk as well as approximate impacts.
Vendor Data Breaches
Vendor data breach risks can be devastating. In 2017, the Ponemon Institute reported that 56% of known data breaches occurred as a result of mistakes by third-party vendors. The report similarly indicated that on average, data breach payouts are $7,350,000. This figure includes the cost of customer loss, remediation, and fines.
Verizon’s data Breach Insights Report of 2018 noted that a whopping 73% of reported cyber-attacks were initiated by organized criminal groups and nation-state affiliated malicious individuals. Out of 53,308 security incidents, 2.216 were data breaches while 21,409 resulted from hacking attacks.
Verizon’s report similarly provided information on the impacts of internally-caused risk events. System administrators and end-users accounted for a high number of internal breaches. Of 277 insider issues, the two categories accounted for a startling 134 security issues. On the other hand, social engineering accounted for more than 1,450 incidents with 381 of them being confirmed data disclosures.
Importance of a Risk Assessment Matrix
A qualitative risk review can help you estimate the time that you need to respond to breaches if they occur. This way, it is also possible to assess the impact of that breach. Even though an event may not be likely, its effects can overwhelm the financial stability of your business. When creating a risk assessment matrix, it is advisable that you assess data security risks across a spectrum since this will allow you to focus on impactful and essential risks.
Applying a Project Management Approach to Cyber Security Management Plans
Implementing a security-first approach in cybersecurity is akin to managing a project. You only need to begin with listing down risks that you face as well as creating tasks that will allow you to build, test, and operationalize your data protection. It is advisable to use a Work Breakdown Structure (WBS) since it will give you an excellent platform for creating a cybersecurity risk management plan that is based on a project management approach.
Project managers need to bring together both internal and external stakeholders so that everyone can understand their responsibilities. This will go a long way in ensuring that project deadlines are met. Similarly, Chief Information Officers (CISOs) must bring together department managers who are responsible for tasks related to cybersecurity monitoring and vendor management.
A WBS will help you organize internal stakeholder responsibilities by providing you with information about all tasks and subtasks. Within information security compliance, you also need to undertake a review of standards and regulations to access their parts and subparts.
Project Management and the Creation of Cyber Security Risk Mitigation Strategies
In cybersecurity, it is up to you to choose the regulation and standard that you intend to use to align your controls. In this regard, you must establish procedures and policies for controls since they will ensure business continuity in the event of a breach. Likewise, you must continually monitor threats within your data environment since this will ensure the effectiveness of your controls.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. You can learn more about risk management at ReciprocityLabs.com.