In my previous post, I shared with you the importance of knowing what you’re protecting – what assets and data you have. It also is important to know your risk profile.
In the same way that it’s important to conduct a risk profile to guide how investments are allocated in a portfolio, a cybersecurity risk profile outlines a company’s known risks, policies and practices to guide how far you need to go and are willing to go to safeguard your assets and data.
The most basic approach to beginning a risk profile is to conduct information gathering on the internet by looking up your company name and reviewing the search results. A more professional alternative that produces more extensive insights is to hire a consultant or solution provider to conduct penetration testing.
Either way, these methods help you to determine the level of visibility into your company is freely available. For instance, is it obvious on your website that you service credit card companies? If it is, your risk would be higher, naturally. Assessing the amount of data you have, and how much of it – if any – is encrypted, also determines your risk level.
As job roles change and legacy environments evolve, that tribal knowledge around what you’re protecting can be lost, so it’s important to have proper documentation along the way. A lack of proper documentation can result in higher risk, not just from a security perspective but also in terms of availability if the system were to go down.
A great exercise to consider in determining your risk profile is to hire a third-party consultant to conduct a security assessment. This assessment helps with understanding not only what you have and what you’re trying to protect but also what’s being monitored. You might have a lot of great security solutions in place, but are they being monitored, maintained and updated regularly?
A security assessment is particularly helpful with navigating around silos. It’s common for security solutions to be deployed in silos, and this can present threats in the void where one solution ends and another begins.
On the topic of silos, I recommend establishing a security board within your organization, as well as security ambassadors within each department. The security ambassadors are liaisons between the security team and their department. This really helps with back-and-forth communication and expands ownership with accountability.
By default, you should have an annual risk management review. The review as well as scoring should be a process that is completed consistently. This documentation and awareness helps your leadership team determine overall risk and the level of funding to put toward mitigating or reducing risk.
It also helps your organization decide whether you’re going to accept, reduce or reject risk. Generally, it’s best to avoid rejecting risk, but you can reduce risk by adding security controls or accept the risk, for instance if the risk is low enough that your organization doesn’t feel investment toward resolving the issue is warranted.
Information Security Program
Through your risk management processes, it’s likely that you will find that it’s time to update your information security program. This includes reviewing your information security policies. I recommend having one large one and updating that on an annual basis. Beyond that, you also want to have procedures and standards so you can train your company for security awareness and stewardship.
It’s important to note that your organization’s leadership should be a part of the decision-making process when it comes to your risk profile. For one, it helps with securing the budget for solutions that reduce risk. But it also sends a message to users across the organization that security awareness and stewardship is important to the company and its leaders.
I’ll share more security insights in future posts in this series. Subscribe to this blog to receive notifications when those posts are published. In the meantime, share your comments below on this topic, and check out our on-demand webinar, "IT Transformation through Security," featuring more security insights.