Cybersecurity Risk Management Fundamentals

Cybersecurity Risk Management Fundamentals

Business and information technology have intertwined — it’s hard to imagine a world of commerce and communication not powered by computers, mobile phones, and the internet, now that we have it. Leaps in telecommunications, data analysis, and infrastructure technologies, combined with the blossoming of cloud computing and web-based application solutions has driven work into the digital world.

But as companies take up more digital space, they increase their cyber footprint, and encounter more cybersecurity threats of different types. Companies were not alone in making the shift to increasingly digital operations; malicious actors and criminals also migrated to cybercrime and cyberattacks, employing a variety of tactics to compromise individuals, organizations, and even governments. Confronted with the possibility of data breaches and the associated average cost of $4.45 million, businesses might instinctively want to batten down the hatches and begin implementing security controls left and right. However, the cost of securing all systems and information is quite steep, and not all information needs to be protected at the same level. Taking a one-size fits all approach to each information security risk invites redundancy and excess expenditure.

Faced with the conundrum of protecting organizations from cybersecurity risks while also staying within budget and remaining effective, cybersecurity risk management as an approach was born. By taking a risk management approach to information security, companies focus on their specific profile, objectives, and corresponding cybersecurity risks, prioritizing mitigation of the highest level risks through a defined cybersecurity risk management process and methodology, and avoid boiling the proverbial ocean. Like operational risk management (ORM) and supply chain risk management (SCRM) practices, cybersecurity risk management applies a risk management process to the area of information security.

Using a cybersecurity risk management framework, in addition to focusing initiatives on high-risk areas, helps limit the potential impact of events, eliminates redundancies in security controls, and allows for effective allocation of resources.

Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk

What are The Top Cybersecurity Threats?

Successful cyber attacks can result in data breaches, theft of confidential information, disruption of business operations, and even service outages. Robust information security controls and cybersecurity risk management processes help companies prevent breaches. Organizations can further limit their cyber liability through insurance — an example of transferring risk to another party as a treatment. Some of the top cybersecurity threats facing organizations today are: malware attacks, social engineering or phishing attacks, cyber supply chain attacks, advanced persistent threats (APTs), distributed denial of service (DDoS) attacks, man-in-the-middle attacks (MitM), and password cracking attacks. Here’s a summary of each cybersecurity threat, and an overview of how they work.

Malware Attacks

There are many different types of malware that execute different actions. The general objective of malware is to get a piece of malicious software installed onto your machine for some kind of insidious objective, like to create a backdoor, further penetrate the network, or secretly exfiltrate data from your computer. Ransomware is a particularly nightmare-inducing variety of malware, threatening to lock businesses out of their systems and data unless they pay the ransom. Failure to pay the ransom might incite hackers to destroy the data.

Social Engineering and Phishing Attacks

Social engineering and phishing attacks use psychology and fraud to trick users into supplying confidential information, passwords, or other kinds of company secrets. These attacks may involve a phone call, email, text message, or even social media interaction — some social engineering scams even occur on LinkedIn. In addition to divulging information, social engineering and phishing attempts try to get users to click on insecure links that could install malware onto their device, and thereby cause a compromise.

Cyber Supply Chain Attacks

Several successful cyberattacks have originated from an organization’s supply chain or third-party vendors, rather than a compromise at the company itself. As service providers embed themselves deeper into their customers’ business operations and companies become more reliant on their supply chain, the opportunities for a hacker to infiltrate a target’s suppliers and bypass the target organization’s security are a vulnerability that can be exploited. Effective vendor risk management controls and processes, as part of a comprehensive cybersecurity risk management strategy, can limit the impact of supplier risk.

Advanced Persistent Threats (APTs)

An advanced persistent threat (APT) is a category of cyber threat that uses multiple attack vectors with expertise and a high volume of resources to conduct a persistent attack on a target. The objective of an advanced persistent threat might be leaking data, disrupting the organization, or establishing a foothold in information systems for future exploitation. An APT adapts to defenders and looks to achieve its goals over a long period of time.

Distributed Denial of Service (DDoS)

In a distributed denial-of-service attack, or DDoS attack, a site or service is flooded with fake requests from a botnet that crashes the site and keeps valid users from the service. Persistent DDoS attacks can successfully deny users access for days at a time. Service providers, small businesses, and companies that rely on web-based transactions can be especially affected by this type of attack.

Man-in-the-Middle Attacks (MitM)

Man-in-the-Middle attacks occur when a hacker intercepts transmissions between one or more parties for the purposes of obtaining sensitive information, exfiltrating data, or eavesdropping. MitMs, like other types of cybersecurity threats on this list, can be used in conjunction with other attack vectors as part of an advanced persistent threat, or as an infiltration tactic.

Password Cracking Attacks

Password-based attacks come in several flavors as well. Brute force attacks are common and involve hackers trying dictionaries of passwords to obtain unauthorized access to an account. Successful attackers then look for a way to escalate access permissions to further penetrate the organization.

How do You Develop and Implement a Cybersecurity Risk Management Program?

To develop and implement a cybersecurity risk management process, companies will need to have a good understanding of their risk appetite and business objectives, as well as their IT systems and information. Organizations can build out their cybersecurity risk management programs at their own pace, following a combination of these steps:

  1. Understand your organization’s security landscape.
  2. Identify security risks and gaps in the current state.
  3. Leverage a framework that aligns with industry standards.
  4. Design and conduct risk assessments.
  5. Develop and implement controls.
  6. Monitor and update the cybersecurity risk management program

Understand Your Organization’s Security Landscape

Understanding your organization’s security landscape is a critical first step towards developing a cybersecurity risk management strategy. Part of this phase involves taking an inventory of data held by the organization, information systems, and other IT assets. This “asset inventory” should include digital assets and call out critical assets. Security teams should consistently document their findings, and consider doing interviews with asset owners, process owners, and other stakeholders to better understand the potential risks that could affect the company’s security posture.

Outcomes from this step should include:

  • An asset inventory that:
    • Specifies the risk level of each asset.
    • Describes the asset.
  • An understanding of the security measures in place that form the organization’s cybersecurity program, including written security policies.
  • An overview of the company’s security posture, cybersecurity goals, and business objectives.

Taking the time to build relationships with stakeholders across the organization can yield great results for the future, both in the short- and long-term. With clear communication and some education, security teams can contribute to fostering a risk- and security-aware company culture, starting with the stakeholders and process owners they work with frequently. Preparing other teams for the possibility of remediation requirements and remaining transparent about cybersecurity program goals often reduces friction, laying the groundwork for a positive, productive, and ongoing collaboration between teams at the organization.

Identify Security Risks and Gaps in the Current State

In this step, security teams go from a macro-level view and “zoom in” to the organization’s cybersecurity threat landscape, security workflows, and discrete processes to identify information security risks. Remember that risks here are “What could go wrong?” in the context of cybersecurity — circumstances that could cause data breaches, security compromises, exploitation of vulnerabilities, unauthorized access, or otherwise detrimentally affect the confidentiality, integrity, or availability of information systems and digital assets. The cybersecurity threats discussed earlier — malware, social engineering, and DDoS attacks to name a few — might all be considered cybersecurity risks depending on your organization’s security posture.

As security teams identify cybersecurity risks and document them in a risk register or risk inventory, they should also identify the controls and processes in place to perform risk mitigation. Risks that don’t have associated controls get flagged as gaps for triage and remediation.

Leverage a Framework that Aligns with Industry Standards

With a better understanding of the security landscape and the cybersecurity risks that face the organization, security teams can take a step back and consider leveraging the resources, guidance, and standards from an existing cybersecurity framework that aligns with their company’s needs and industry practices. Some of the most popular cybersecurity frameworks that are available for companies to use are: the NIST Cybersecurity Framework (CSF), the ISO 27000 Family of standards, and the SOC 2 Trust Services Criteria. ISO 27001 and SOC 2 have the benefit of giving companies the option to certify or obtain an attestation, which can then be furnished to potential customers, partners, investors, and other stakeholders to demonstrate the organization’s dedication and diligence in the area of cybersecurity. Each framework covers common control areas, like access control, incident response, firewall configuration management, and risk assessments. We’ll cover some of the basics of each in this article.

NIST Cybersecurity Framework (CSF)

The National Institute of Standards and Technology, also known as NIST, sits under the US Department of Commerce and issues standards for various sectors. NIST was tasked with creating a standard or framework for critical infrastructure security in 2013 and came out with the first version of the NIST CSF in 2014, before revising it in 2018. The 2018 version is what we have today (though NIST is in the process of developing “CSF 2.0”), and it includes five key functions with 23 categories and 20 associated control families that provide guidance on a comprehensive set of cybersecurity risks and controls. NIST is designed to be used by any type of organization, of any size. NIST does not offer a corresponding certification, but companies that do business with federal agencies may be required to adopt and comply with most if not all of NIST’s CSF due to regulatory requirements. The NIST CSF is a good choice for organizations that work with the federal government and/or want a maturity-driven model as part of their cybersecurity program.

SOC 2 (SOC for Service Organizations)

Created and governed by the AICPA, SOC 2s are reports on controls at a service organization, intended to give a company’s customers, partners, stakeholders, and investors comfort that a company is doing the right things in terms of cybersecurity and data protection. SOC 2s by default include Security as a criteria, though four other Trust Services Criteria can be voluntarily included, covering the areas of Confidentiality, Availability, Processing Integrity, and Privacy. SOC 2 attestation requires businesses to contract with a third-party CPA firm and complete an audit. SOC 2 attestation is ideal for service providers that do business in the US.

ISO 27000 Family (ISO 27001)

The International Organization for Standardization, or ISO, last revised its information security management system (ISMS) standard, ISO 27001 in 2022. ISO 27001 provides guidance for companies of all kinds seeking to establish an information security management system or bolster their existing cybersecurity programs. Recognized internationally, ISO 27001 can be certified against through a third-party assessor. ISO 27001 certification lasts for three years, although annual surveillance audits of limited scope are required. ISO 27001 is an optimal certification choice for companies doing business in the EU and internationally.

Design and Conduct Risk Assessments

Regardless of which framework(s) an organization chooses to use, conducting a thorough cybersecurity risk assessment is a cornerstone for any effective cybersecurity risk management program. To conduct a cybersecurity risk assessment over the company, security teams and stakeholders use the inventory of IT assets, the risks that have been identified, and gaps that require remediation.

Once the organization has identified cybersecurity risks and logged each in a risk register, security teams should then perform risk analysis over each risk, assigning likelihood and impact scores to make prioritization simpler. Highly likely risks with severe impacts if they are realized would comprise major risks, while unlikely risks with minimal impact if they are realized, comprise lower priority risks. 

Based on the risk analysis, the risk should be assigned a treatment method (mitigate, avoid, transfer, accept), and an action plan for carrying out the treatment. These action plans should include remediation details, risk mitigation steps (if applicable), risk owner, and timeline for completion, and be based on informed decisions and stakeholder input.

Then, once security controls have been implemented for vulnerabilities, open risks, and gaps, with risk assessments occurring on a periodic basis, the security team can move into monitoring and reviewing cybersecurity risks. In order to successfully fend off dynamic cyber threats, organizations will need to regularly monitor the effectiveness of their security measures and adjust according to the needs of the business. As with all risk assessments, cybersecurity risk assessments should be renewed at least annually.

Implement Controls and Treatments

After developing action plans and assigning a priority to each risk, those action plans must be put into practice. Security teams, operational teams, leadership teams, and process teams need to collaborate to implement effective security controls in an ever-changing cybersecurity environment. This step may involve adding new steps to processes; changing processes entirely; adjusting personnel responsibilities; or utilizing new technology — all of which may require additional training. 

Monitor and Update the Cybersecurity Risk Management Program

Even as controls are being implemented and optimized, and teams adjust processes to better respond to cybersecurity risk, the onus is on the company to monitor and continuously improve and update their cybersecurity risk management program. Cybersecurity risks will continue to proliferate as long as technology integrates with business, and securing companies requires a dynamic, flexible approach. Establishing a program alone is not enough — it must be nourished, maintained, and regularly re-evaluated to ensure that business objectives and cybersecurity goals continue to be met.

How do You Build a Successful Security Team?

The success of a new or existing cybersecurity risk management program largely depends on the security team or teams that are responsible for carrying it out. Businesses have conflicting priorities, and cybersecurity is just one area of risk that needs attention, investment, and resources. Allocating insufficient resources to cybersecurity initiatives could lead to the realization of risks and compromises. Over-investing in cybersecurity leads to redundancy and budget bloat. 

The right mix of experience, talent, knowledge, and people skills make up an excellent security team that can drive positive outcomes for your organization’s security program. Building that team is not an impossible task, but requires good planning, clear communication, and effective training.

To build a successful security team, companies should focus on assigning and communicating responsibilities, allotting team members enough time and resources to conduct those responsibilities, and prioritizing cybersecurity risk management training.

Leverage CrossComply to Manage Your Cybersecurity Risk Management Program

Building or optimizing a cybersecurity risk management program comes with challenges, not least of which being the ever-changing nature of cyber threats and cyber attack vectors. However, organizations can’t afford to ignore the risks that come with technology — they’re embedded into our increasingly more digital work. With cybersecurity risks integrated into almost everything we do, it might seem impossible to develop an effective cybersecurity risk management program. There are many stakeholders involved, many teams to collaborate with, controls to implement, and risks to manage.

Utilizing ITRM and CrossComply from AuditBoard can take away or ease many of the difficulties that come with setting up and maintaining a cybersecurity risk management program. Coordinating with stakeholders across the organization and working from a central repository and single pane of glass is all possible with the right technology solution. View data-rich dashboards and see all of your key cybersecurity metrics at a glance — try AuditBoard today and take your risk management program to the next level!


Corey Landman, CPA, CISA, is a Manager of Compliance Solutions at AuditBoard. Prior to joining AuditBoard, Corey led and managed information technology and compliance audits across the fintech, healthcare, insurance, freight logistics, legal, and technology industries. Connect with Corey on LinkedIn.