An essential function of a cybersecurity program is the management of cyber risk.
You’ll manage it on a daily basis as part of the operational functions and projects your team performs.
But you only have a limited number of resources to manage an endless number of cyber risks.
How will you know which risks are worth the effort to manage?
Prioritization Is the Key
It’s not enough to have a bunch of “high, medium, and low risks.”
As a good cyber risk manager, you need to know how to prioritize your top risks so you can smartly allocate your resources to get the biggest benefit.
Prioritization Through Measurement
Now, to manage something well, you need data. That means you need to be able to measure the risks.
Ideally, you will be able to quantify your risks in a way that allows executives to make the same kinds of smart, thoughtful decisions they do with other top business risks, like sales, fulfillment, and accounts receivable.
Your cyber risk management options fall along two dimensions:
- Formal versus informal methods
- Quantitative versus qualitative assessment
Let’s take a look at each dimension and the choices within each one.
Formal Versus Informal Methods
The first dimension is Methodology, which is the step-by-step process you’ll follow.
There are formal methods such as:
- ISO 27005 (Information Security Risk Management)
- NIST SP 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems)
- Factor Analysis of Information Risk (FAIR)
- Risk IT, published by ISACA
These are all well-documented, structured methodologies. They are thorough and often complex.
And when you use these formal methods, schedule concerns are often a secondary priority.
As an alternative, there are also informal methods, such as brainstorming the top risks as determined by the intuition of one or more experienced people.
This is often considered “quick and dirty” and is best when you are in an urgent or emergency situation.
Quantitative Versus Qualitative Assessment
The second dimension of options you have is how rigorous to do a risk assessment.
You can follow a quantitative approach that:
- Is very data-driven
- Uses statistical models and algorithms
- Describes your results using terms such as Annualized Rate of Occurrence (ARO) and Annual Loss Expectancy (ALE)
In contrast, you could choose to follow a more qualitative method which:
- Is favored when there is a lack of time or mathematical expertise
- Has a heavy reliance on interviews and other “unstructured” data
- Provides your results sorted into color-coded categories such as red, yellow, and green
Check for “Fit”
Before choosing along these two dimensions, consider the organization in which you work:
- Formal, quantitative measurements may work best at an engineering or data-intensive company
- Informal, qualitative measurements may work best for a company where quick, intuition-based decision making is highly valued by executive management
Striking a Balance
My bias is towards a balanced, managerial view.
I want my decisions based on data, but I also want to use the most practical method I can find. So, I aim to strike a balance between the two dimensions:
- Semi-formal so that it will be structured and we can include experts from other parts of the organization in our work, but it won’t take months of duration and effort
- Semi-quantitative, so we can have a reliable means of prioritizing our risks, and benefit from a simple few statistical calculations while avoiding the murkiness of simple red/yellow/green labels
Using our semi-formal, semi-quantitative approach, we’ll be able to generate the first risk assessment in 60-90 days, depending on how large and responsive your organization is.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.