Over the next several posts on this blog, I’ll describe how to measure, understand, and manage cyber risks at an executive level.
We’ll build on everything that we’ve covered so far about cybersecurity program design. Done well, you’ll be able to manage information and cyber risks, and meet the four goals of your cybersecurity program, which are:
- To achieve your customers’ expectations
- Be resilient to cyber-attacks and cyber failures
- Be compliant with laws and regulations
- And, become an unprofitable target by practicing great cyber hygiene
To provide useful examples, I’ll show you the tools and methods I use when I’m on the job.
Cyber Risk Management Lifecycle
Here’s our overall lifecycle for managing cyber risks. There are five phases:
- We’ll start by doing a fair amount of preparation
- Then, we’ll measure our risks
- Once we have our measurement data, we can analyze it to understand which risks should be top priority for us
- That will set us up to propose specific actions to manage our most serious risks
- Finally, we’ll regularly communicate the results with our key stakeholders
Preparation for Managing Cyber Risk
By now, you should have chosen your framework and the controls you’ll expect to see your organization following. I’ll use the NIST cybersecurity framework for the rest of this guide.
You also need to set the scope of your risk management efforts.
It’s usually best to focus on your highest value information assets, like trade secrets, your finances, and sensitive information about employees and customers. Be sure to look beyond your compliance mandates; otherwise, you won’t cover all your bases.
There’s a lot of work involved in managing cyber risk, and you’ll need to coordinate with many other people, so be sure to document your plan and refer to it as you go.
Make Your Cybersecurity Project Plan
Your plan should include:
- Major milestones
- The specific tasks that need to be completed to achieve each milestone
- The names of people assigned to each task
- And deadlines for all tasks and milestones
If you’re not sure how to do all that, get help from someone in your organization who is experienced with project management.
Here are some of the tasks you need to put into your plan:
Make Your Communications Plan
The communications plan is a package of specific messages you will deliver through various channels at specific times to set expectations and gain support from your boss, peers, and other stakeholders.
In my experience, sending an email to someone a day or two before you need something to support this work won’t be good enough:
- There’s a good chance they’ll skip over your unexpected message
- They’re already busy working on higher priority items that were given to them by their supervisor
- Even if they want to help, two days is often not enough to rearrange their schedule
So, unless you’re experienced at creating a communications plan that utilizes a sequence of pre-written messages delivered over multiple channels, I encourage you to get help from someone in your organization who has done it a few times.
Get a Notebook
You’ll need a single place to record your measurements.
I use a Microsoft Excel workbook. It not only holds my data, it also lets me perform some basic statistics and visualizations so I can better understand and explain my data to others.
Create a Questionnaire and Interview Schedule
You’ll need to interview experts from across your organization to know what’s really going on at “ground level.”
That means you’ll have to figure out who to interview and create a questionnaire to focus the interviews.
Other Things to Do
You’ll also need to provide your experts with a score key which will help you standardize the raw data you collect.
You might also want to use some data generated by your security systems. If so, you’ll need to come up with a way to fit that data into your measurement system.
We’ll cover all this in future posts as well.
Finally, there are many different ways to measure information risks. You’ll need to choose one.
We’ll cover that next week.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.