Cybersecurity risk management: Best practices and frameworks

Why cyber risk management is important

Modern businesses rely on data and the extensive IT infrastructure required to store, access and process that data. Cyberattacks threaten to steal, alter, block or destroy that data in ways that disrupt an organization's normal operations. Cyber risk management intends to find where such attacks might strike, mitigate the effects of such attacks if they occur and prevent such attacks from occurring in the first place. Cyber risk management allows the business to protect systems and data, respond to attacks quickly and effectively, keep the business running normally and adhere to prevailing regulatory or legislative obligations.

The benefits of cyber risk management include the following:

• Raising security awareness. Prevention and mitigation are impossible without awareness. Cyber risk management uses risk assessments to find and evaluate vulnerabilities. Only then can those risks be addressed through changes to infrastructure, practices and behaviors.
• Preventing cyberattacks. Cyber risk management allows a business to prevent (or at least mitigate) attacks designed to access data and disrupt normal business operations. Common attacks range from phishing, malware introduction, ransomware and unauthorized intrusion.
• Ensuring business continuance. The data loss and business disruption caused by malicious attacks can be extremely costly. Cyber risk management implements the infrastructure and practices intended to keep the business running normally when attacks occur and can dramatically reduce the costs of security incidents.
• Preserving regulatory compliance. Modern businesses require sensitive data that is often governed by regulatory obligations (including the need for cyber risk management). Successful attacks can lead to compliance breaches and expose the business to costly litigation. Cyber risk management can help the business meet its regulatory obligations by protecting sensitive data, preserving critical systems, and ensuring business operations.
• Protecting reputation. A successful cyberattack can do significant damage to an organization's reputation. Customers, partners, employees, creditors (including lenders and VC sources) and even regulators and legislators can lose faith in the organization's leadership and long-term competitiveness or profitability. Some businesses never fully recover from a successful attack. Cyber risk management can prevent and mitigate attacks, building trust and loyalty to the business and its brand.

Key components of cybersecurity risk management

Cybersecurity risk management is a comprehensive approach to security. It covers threat identification, understanding, mitigation and response. It requires the following:

• A keen knowledge of the prevailing threat landscape.
• An objective understanding of current vulnerabilities.
• The skill to design, implement, configure and maintain security technologies and practices.
• The ability to respond to incidents when they occur.

Five fundamental components underpin a cybersecurity risk management strategy: identification, assessment, mitigation, monitoring and response.

Risk identification

Risk identification is the process of finding vulnerabilities, and it is the first step in any cyber risk management process. Identification starts with a comprehensive inventory of all IT assets, including the following:

• Physical devices and infrastructure.
• Software-based services -- such as databases.
• Applications -- such as productivity, ERP or CRM systems.
• All data assets produced, stored and used by the business.

Identification also demands a thorough understanding of the potential threats to those IT assets. Threats can be many and wide-ranging, such as malware, intrusion, and human actions. This is what you face.

Finally, it's time to determine the vulnerabilities -- the places where prevailing threats overlap weaknesses in systems, services, applications, configurations, or practices. You can't stop what you can't see. Identifying potential vulnerabilities is typically the most critical part of cyber risk management.

Risk assessment

Once vulnerabilities are identified, decide just how serious each vulnerability might be -- should it be successfully exploited. Assess each vulnerability for factors such as potential business disruption, regulatory or legal exposures, financial losses and reputational damage. Numerous cybersecurity risk quantification techniques are available to help quantify risks in terms of severity or financial consequence.

Once each vulnerability is ranked for how serious a successful breach would impact the organization, determine the probability (likelihood) of a successful exploit or incident. All potential attacks must be taken seriously and can potentially occur, but not all risks are equally as serious or as likely.

An objective analysis of seriousness and likelihood allows vulnerabilities to be prioritized effectively. The organization can focus on the most serious and most likely threats, while de-prioritizing the least likely and least serious threats.

Risk mitigation

Once risks are prioritized, business and technology leaders can develop appropriate controls designed to reduce (even prevent) risks from being exploited successfully. This typically involves multiple options, including the following:

• Technological updates and changes to the infrastructure, such as implementing an intrusion prevention system.
• Procedural or policy changes -- such as implementing zero-trust user authorization.
• Incident response planning and preparation.
• Employee training around security awareness and policies.

Risk monitoring

Planning for threats isn't enough. Actively monitor, detect and respond to threats as they occur -- typically in real-time. This involves the use of security monitoring and alerting tools. When an incident occurs, the security team can address the incident and initiate an appropriate response. AI-powered threat detection tools with automated mitigation are increasingly important to address attacks in real-time. Regular reporting gives management access to periodic security metrics and effectiveness assessments.

Cyber risk management is not a one-time effort, but an ongoing process that includes regular reviews of vulnerabilities, security controls and policies and responses. This lets the business make regular adjustments to its security posture as threats emerge and business needs change.

Incident response

When an attack is detected, the security team is alerted and can initiate an appropriate response. Teams use existing incident response plans to contain the attack, prevent further damage, and recover promptly from the incident. An incident response might also include post-mortem analysis and discussion, often leading to changes in risk assessment, prioritization and response.

How to choose the right risk management framework

Selecting the best framework for an organization's cybersecurity risk management initiative can be difficult. Many risk management frameworks focused on cybersecurity exist, but each one is different. Major frameworks such as NIST CSF, ISO 27001 and COBIT use significantly different approaches and cannot be used interchangeably.

Adopting the correct framework demands careful consideration of the organization's specific needs, risk tolerance and risk profile, staff expertise and capabilities with each framework and detailed security needs and compliance obligations. Factors to consider:

Understand the risks

While risk management frameworks can assist organizations in finding and evaluating cybersecurity risks, no framework can possibly make those critical determinations for you. The onus is always on the framework's user to do the following:

• Establish business goals.
• Recognize the prevailing compliance requirements.
• Define the organization's risk tolerance.
• Inventory and track current and future assets.
• Identify vulnerabilities of each asset.
• Objectively define the associated business risks and consequences involved with each vulnerability.

Frameworks can be highly effective in helping to keep each of these points organized and in context, but it's up to business and technology leaders to complete the details themselves.

Match the framework to the business

The selection process should involve a range of suitability considerations that can match each framework's strengths and capabilities to the organization's specific needs. Typical criteria include the following:

• Business size. Ensure the framework is suited to the organization's current size and complexity and scalable enough to meet future needs.
• Unique needs. Consider any unique security requirements for the specific business or industry type and ensure that the selected framework will properly evaluate and include the risk discussions for those requirements -- such as support for PCI DSS security in businesses that process credit card payments.
• Staff expertise. Frameworks can be complex and comprehensive mechanisms. It requires skilled staff to use frameworks to their best advantage. This can make more familiar frameworks faster, easier and more successful to implement than others.
• Cost. Framework implementation and management can impose significant time and resource requirements. Budget-sensitive organizations might select a simpler and less detailed framework that is faster and less costly to implement and manage.
• Avoid overlap. Consider any existing security controls or risk management tools already in place across the enterprise and determine whether those controls are mutually beneficial or whether they simply duplicate time and effort -- leading to wasted cybersecurity resources.

Implementation considerations

Review customization options available for each potential framework. Customizations help tailor the framework to the organization's internal needs (such as scripting capabilities to automate and streamline common tasks). Evaluate the use of KPIs to provide objective measures of risk management effectiveness. Some metrics may be available out of the box, while others may need to be adjusted. Finally, assess the kinds of reporting capabilities that the framework might provide for risk alerting and monitoring.

Select an appropriate framework

Ultimately, an appropriate framework can be selected and implemented. Many frameworks are available to suit varied business types, detail requirements and risk profiles. Common cybersecurity risk management frameworks include NIST CSF, ISO 27001, COBIT, CIS Controls and others.

Common cybersecurity risk management frameworks

A number of frameworks are well-suited to cybersecurity risk management. Each framework carries its own unique tradeoffs and can provide benefits to different business needs or models. Common cybersecurity risk management frameworks include the following:

• CIS Controls. The Center for Internet Security Controls framework is a community-driven set of 18 prescriptive and prioritized cybersecurity best practices designed to mitigate risk and enhance resilience across IT infrastructures. CIS Controls offer top-level security controls and safeguards, along with implementation guidance, and can support cloud and hybrid infrastructures.
• COBIT. The Control Objectives for Information and Related Technologies framework was created by ISACA and aimed at IT governance and management. COBIT is recognized for aligning IT with business goals and offers detailed guidance on cybersecurity and other IT-related risks.
• COSO ERM. The COSO enterprise risk management framework supports a broader initiative to identify and manage and  enterprise risks, among them cybersecurity risks.
• FAIR. The Factor Analysis of Information Risk framework helps identify and gauge the severity of cybersecurity risks and then express those risks in numerical terms that allow business leaders and stakeholders to better understand the implications of security threats.
• ISO/IEC 27001 and 27002. ISO/IEC 27001/27002 are international standards governing cybersecurity management, including information security management systems. They validate an organization's adoption of international cybersecurity standards and best practices and demonstrate the organization's ability to manage and protect information securely. These standards are suited for many different business types including IT, services, manufacturing, public and nonprofit organizations.
• NIST Cybersecurity Framework. The NIST Cybersecurity Framework is a comprehensive, voluntary and highly adaptable platform for managing and mitigating cybersecurity risks. It provides a structured approach that focuses on identification, protection, detection, response and recovery. A companion framework for AI risk management is designed to gauge trustworthiness in the design, development and use of AI systems.
• RMM. The Risk Maturity Model provides a risk maturity self-assessment allowing organizations to benchmark the alignment of their current risk management practices with RMM indicators. The goal is to create a sustainable, repeatable and mature ERM program. The self-assessment provides the business with a maturity score starting with Ad-Hoc (Level 1) and progressing to the most advanced risk maturity level at Leadership (Level 5).

These are not the only frameworks used for cybersecurity. There are many other options available for specific businesses or industry verticals, among them the Mitre ATT&CK security and Cyber Defense Matrix frameworks. Industry-specific frameworks include HIPAA and HITRUST CSF for healthcare; FERPA, CIPA, and COPPA for education; PCI DSS for payment systems and regional frameworks such as GDPR and Cyber Essentials for the European Union and the United Kingdom

Best practices for cybersecurity risk management

There is no single way to implement cybersecurity or manage risks. Consider these eight best practices as a guide:

• Think like an attacker. Identify risks and deploy threat intelligence resources that educate staff about current and emerging threats. For every threat you see, there may be two more you don't. Risk identification is among the most difficult parts of risk management.
• Trust nobody. Implement zero-trust policies across the board – lock everything down and allocate authorization and access based on clear rules (such as job roles). Apply cybersecurity monitoring and tools to all elements of the infrastructure. Even CISOs get fooled by a phishing scam or download an infected file from time to time.
• Develop clear documentation. Document security policies and practices (such as incident response or acceptable use) and ensure that everyone from employees to executives to partners receive, understand and agree to documented practices. This puts everyone on the same page about security and their respective duties and responsibilities involved.
• Monitor carefully. Use tools capable of comprehensive security monitoring (such as anomaly detection, intrusion systems and behavioral analytics) to oversee activities across the infrastructure and its users. Monitoring tools should provide comprehensive security dashboards for real-time reporting, as well as decisive alerting when potential incidents are detected.
• Respond rapidly. Use automated and AI-based cybersecurity tools to respond rapidly – even autonomously – when an event is detected. The time elapsed between an alert and a response is critical for the business. Better to deny access and possibly annoy a user now (and wait for human intervention later) than risk a catastrophic data breach.
• Test and re-evaluate. Test your cybersecurity preparedness. Generative AI, for example, is being used to produce simulated (white hat) attacks to validate security. Other important practices, such as backup and restore, or incident response, should also be tested on a regular basis. Evaluate the effectiveness of cybersecurity efforts and make regular adjustments to correct deficiencies or meet changing threats over time.
• Guiltless post-mortems. Don't assign blame after an incident occurs. Little silences a human more than humiliation. Incidents are followed by investigation, analysis and discussion. Keep these post-mortem discussions objective. It's easier to gather information, understand events better and take more meaningful corrective action.
• Educate repeatedly. Implement detailed cybersecurity education for employees at all levels. Ensure every employee understands the need for security, their role in security and the possible consequences when security fails. Education is not a one-time effort, but an ongoing business process.

How to incorporate cybersecurity into enterprise risk management

Although every organization supports cyber risk management differently, there are some conventional ways to develop and integrate the concept as part of a strong and effective overall business posture.

• Start with a strong ERM. ERM should support cybersecurity risk management -- not the other way around. A strong ERM clearly defines the organization's risk tolerance (including cybersecurity risks). ERM should also incorporate a well-defined governance structure where business and cyber risk management roles and responsibilities are clear. Finally, use a standard set of terms and concepts for communicating risks so that everyone speaks the same risk management language.
• Look for alignment. Just as ERM seeks to align risks with business goals and risk tolerance, cyber risk management should strike the same relationship between the business and its overall needs. Decisions and initiatives generated by cyber risk management should be consistent with ERM. Otherwise, critical risks can be missed or business goals not addressed.
• Assess risks in business terms. Cyber risk management is often most effective when risks and impacts are expressed in business terms, such as financial or legal impacts. This is typically most consistent with ERM efforts and helps executives understand and prioritize the potential seriousness of risk issues.
• Consistent response plans. Develop and review cyber risk management plans (such as incident response) with ERM plans (such as business continuance). Discuss possible overlaps and resolve potential conflicts so that the business can deliver a unified and consistent response to disasters, data loss, business disruptions and other serious incidents.
• Monitor and update regularly. ERM analysis and discussion is an ongoing process, and cyber risk management should be a key part of those discussions. Anytime the ERM is reviewed and updated, the cyber risk management process should undergo the same scrutiny.
• Use risk management frameworks. Consider adopting a risk management framework such as COSO ERM, NIST CSF or the general ISO 31000 standard. All focus on enterprise risk management, but make cyber risk management an integral part.

Stephen J. Bigelow, senior technology editor at Informa TechTarget, has more than 30 years of technical writing experience in the PC and technology industry.