I’m continuing my long series of posts that describe how to implement an information security program. Currently, we’re in the section I call “How to Measure Cyber Risks.”
Now it’s time to figure out where you will measure your information risks. Talk this decision over with your key stakeholders, such as:
- Your boss
- The business owner of the high-value information assets you’re protecting
- The other people you will report the results to
- Anyone else you will request support and resources from to manage the risks you find
After you’ve spoken with all your stakeholders, set the scope of your measurements. Do you want to produce summary scores for:
- The entire organization?
- Or, just for certain regions or offices?
- Or, for a particular line of business?
- Or, just a particular information asset, regardless of location?
It’s OK for your scope to be a blend of these choices. Just make sure it’s clear.
Once you understand the logical, organizational and geographical boundaries, map out who is responsible for performing the controls you want to measure.
Your first step is to figure out which are centralized. The answer is determined by locating the people, processes, technologies, and management which perform the control for the entire organization. Such as the corporate IT networking team.
Next, figure out which controls are distributed. Once again, the answer is determined by the location of the people, processes, technologies, and management which perform the control for a specific office or line of business. Such as the Boston office desktop support team. This isn’t the same as a support team that operates from Boston but serves the entire organization.
Or, is it a hybrid situation, where more than one group is involved? An example is when a manager in a remote office approves the creation of a new user account, but the account is actually created by a centralized team in a different part of the organization. If so, list the groups by name.
It’s OK to ask more than one person to measure the control. In fact, having multiple measurements for the same control will provide you with deeper insights, as we’ll discuss in a future post.
Whenever you get more than one score for a control, just calculate the mean, or simple average, of all the scores you collected for that control.
Next week, I’ll tell you how I did it for two very different organizations using the NIST cybersecurity framework.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.