The SEC recently adopted their proposed rules, including those regarding Cybersecurity Risk Management on July 26, 2023. The stakes and expectations of an organization’s IT Risk Management capabilities have never been higher – and as we all know, the dollar impacts are real. According to a 2022 IBM report, the average cost of a data breach in the US is $9.44 million.
IT Risk Management practices can have a significant positive impact on an organization’s information risk posture, with a focus on inventorying, identifying, and prioritizing risks. By employing an effective and integrated IT risk management process and program, businesses can limit their exposure to costly IT security incidents and risks, like data breaches, information systems being compromised, ransomware, and other cyber threats. Of course, organizations must also now prepare to comply with this latest SEC ruling.
IT Risk Management Defined
The goal of IT Risk Management, sometimes abbreviated to ITRM, is to identify, assess, address, and analyze IT-related risks that could affect the business, improving IT operations, cybersecurity, risk mitigation capabilities, and the organization’s overall risk and security posture.
In general, IT Risk Management follows the same pattern of risk management practices, with a regular cycle of identifying, assessing, and monitoring risks.
One of the key documents an organization can employ when managing IT risks is the concept of a risk register. This is a document that summarizes each identified risk, provides a description, documents the risk score, and usually includes the remediation plan and owner. Organizations may want to invest in an integrated risk management solution to streamline risk processes and include even more valuable data in their risk analysis.
Organizations may also want to integrate risk assessment matrices in their registers — these can help visualize and prioritize issues quickly.
Types of IT Cyber Threats
Since a major component of any risk management methodology is the identification of risks — which can sometimes be the hardest part to get started with — we have identified some common IT cyber risks that all organizations should be aware of. The OWASP Top Ten lists the top attack vectors that cyber attackers use to compromise organizations. Here are a few examples:
- Malware: Once installed on a user’s system or the wider network, malicious software can exfiltrate data, launch a ransomware attack, establish a “backdoor,” and cause other types of compromise.
- Social Engineering and Phishing: Attackers use social mechanisms and fake communications to trick users into compromising credentials or data.
- Distributed Denial of Service (DDoS): When a software or service is overwhelmed with requests, often through a botnet, that service may stop working, keeping users out. This can have significant costs for organizations.
- Man-in-the-Middle Attack (MitM): Attackers place themselves between users and their target connection, intercepting, hijacking, and eavesdropping on communications between those two points.
- Password Attacks: Passwords can be compromised through a number of different vectors; regardless, any credential compromise can have a negative impact on an organization.
In addition to these threats, other ways to identify risks include:
- Ask “What Could Go Wrong?” – This seems like a simple approach, but it’s actually one of the fundamental questions in risk management.
- Use Past Insights or Incidents – Learning from past incidents is a crucial part of effective information security risk management, and one of the best places to begin remediating risks is with previously identified vulnerabilities.
- Look Around – What’s in the news? What struggles are other businesses in your industry facing? Are there geopolitical events or natural disasters that could harm your organization? Taking stock of the current events taking place in the world can reveal new risks, or risks that just didn’t exist previously.
- Leverage Experts – Experienced risk and cybersecurity professionals can give you insights into risks associated with specific technologies, services, industries, and partners. Frameworks and professional associations can help here too.
Whatever the method for identifying your organization’s risks, it is important to agree on a baseline for how risk will be defined. Making sure various program stakeholders are all working with common language and understanding is crucial for productive assessments.
IT Risk is a Moving Target
As we constantly see in the news, the information technology landscape changes rapidly. To compensate, IT risk management approaches need to be flexible, fluid, and modern. Add the difficulty of managing multiple stakeholders and coordinating across multiple departments to ensure that security policies match up to practices, and IT risk really does become a dynamic, moving target.
Integrating IT risk with a larger, organization-wide risk management framework, using best-in-class risk management technology, and employing automation when possible can give IT teams and management a leg up on mitigating risks using a holistic approach.
In practice, businesses should set up a committee to review risk-related matters that affect the organization. This is required by some compliance frameworks and is a solid best practice. As part of these meetings, the committee should review the risk register thoroughly and make updates as needed. The risk committee should meet at least annually, but experts recommend a quarterly meeting to address the evolving risk environment. Annual risk assessments performed by internal teams or third-party consultants can play another important role in a mature IT risk management program.
The Importance of Mitigating IT Risk
The cost of data breaches is rising; new technologies are flooding the market; cybercrime is booming; and the risks keep on coming. Fighting the battle for information security and IT risk management seems like a Sisyphean task. To make progress, it’s crucial to mitigate IT risk and to establish a formal IT risk management program.
Preventing Risks and Reducing Losses
The purpose of IT risk management is to identify and prepare relative to risks before they occur … or if they do occur, to limit the impact as much as possible. It’s a function that uses past incidents to inform decision-making and protect the organization through the implementation of processes, safeguards, and controls. One core benefit of establishing an IT risk management program is to do just that — protect the organization from risks and reduce losses when total prevention isn’t possible. At the end of the day, this reduces an organization’s potential losses and allows that organization to continue functioning without interruption from information technology risks.
Streamlining IT Operations
IT risk assessments and risk management practices can reveal insights about an organization and teams in a way that other audits might not. By unearthing inefficiencies, control deficiencies, broken processes, and a lack of oversight in IT areas through regular risk assessments, the business can begin to fix those problem areas. Once those identified risks are remediated, processes are repaired, and controls are put into place, the organization will naturally reap the benefits of smoother operations, improved compliance, and a lower level of risk.
Risk-Based, Prioritized, Informed Decision-Making
Realistically, companies can’t address all identified risks at once. Part of the IT risk management lifecycle is assessing and prioritizing risks in order of likelihood and potential impact. Following this process results in a prioritized risk register, with each risk having some kind of score or quantification. Based on these scores and the potential risk to the company, management and leadership can then make informed decisions about which issues to tackle first, which to tackle later, and which may need to be tabled for the future.
While this shouldn’t be the only thing taken into account — risky endeavors can have positive outcomes too — a well-formed IT risk management program can equip leaders with valuable information that they can use to strategize and plan.
Implementing an IT Risk Management Program
Developing and implementing an IT Risk Management program depends on how mature your organization’s risk management program is. If your company already has an Enterprise Risk Management program in place, it may be best to collaborate with that team to integrate IT Risk Management into the larger organizational risk strategy. Below, we’ll outline steps to begin building an IT Risk Management approach from scratch, but feel free to skip around based on your company’s risk program maturity. If risk quantification is top of mind for your organization as you pursue greater IT Risk Management maturity, check out our in-depth guide here.
1. Scoping, System Definition, and Appetite
Before building any type of project plan, you must define the parameters for success and the scope of the project. This applies to establishing an IT Risk Management function as well. For smaller organizations, it may be feasible to scope in all IT systems as part of your IT Risk program. For mid-to-large-sized organizations, this may be impossible.
Scoping involves defining what to include in your IT Risk Management program. Often, this is done by the system. In the latter case of mid to large-sized organizations, the IT team may need to prioritize key systems over vestigial systems — that is, identify which IT systems are critical to business operations. It’s crucial to include those high-risk systems in your IT Risk Management plan right away, since compromises in those systems will impact the company most severely.
Once the scope of the program is understood, it’s important to capture the results of the exercise in documentation. Make sure to include some information about what the system does, who manages the system, what policies apply to the system, and what controls are in place for the system. If possible, include technical information about the system, like the Operating System, type of asset, in-house versus outsourced, types of data hosted, authentication mechanism, and associated ticketing system.
This phase is also helpful to determine the organization’s risk appetite. What level of risk is acceptable? Where will additional investment and resources be dedicated to correct identified gaps? These are helpful conversations to help determine the threshold for what will be prioritized for mitigation.
2. Risk Identification (Threats and Vulnerabilities)
There is no risk mitigation without risk identification. After defining the scope of the IT Risk Management program, the team should begin to identify risks that could impact the IT systems in-scope, including threats (from outside or malicious actors) and vulnerabilities (inherent to the system).
Companies can employ a number of vulnerability scanning solutions on the market today. Indeed, there are some compliance frameworks that require vulnerability scanning by default, like PCI DSS. Most vulnerabilities in systems can be remediated through security updates and patches, but some require formal coordination through a project.
In addition to the potential risks and methods of risk identification noted above, companies should work together with IT teams, security teams, and other teams that work with the target system to understand the idiosyncrasies of the platform. If the system in question is a SaaS-type or similar service provided by a third party, that does not exclude it from the IT Risk Management program! IT Risk Management teams should still review due diligence questionnaires, security questionnaires, and/or updated SOC 2 reports to validate that the third-party provider addresses the risks that exist (there is tremendous value in visibility across your third-party risk processes and your internal risks) .
3. Control Analysis and Documentation
Once scoping and risk identification have been performed, an analysis of the controls in place to address identified risks should take place next. Most organizations will already have some good security controls in place to safeguard their systems, like requiring two-factor authentication or monitoring activity logs. The teams responsible for analyzing the controls in place should also evaluate whether they are designed and controlled effectively, and whether the control adequately addresses the risks it is designed to address.
There are a few other details that might behoove your company to capture when analyzing a control, including:
- Is the control preventive or detective?
- If the control is detective, is there a correction mechanism in place to compensate?
- Are there compensating controls associated should this control fail? If not, should there be?
- Is the control manual or automated?
- Do control activities get formally documented somewhere, like a ticketing system?
- How frequently does the control occur?
If any gaps in controls are observed, the IT Risk Management team should also plan additional or compensating controls to fully mitigate risks. The results of all control analyses should be documented and maintained in a central repository when possible, to enforce version control and prevent unauthorized changes. These details can be kept in the same document or repository as the risk register.
4. Risk Assessment (Likelihood, Impact, and Scoring)
After all the information about the risk has been gathered, the organization can then assess each risk (use a risk assessment matrix, if necessary!) based on the likelihood that the risk will occur (or be realized), and the impact on the organization if the risk is realized. Also, take into account certain factors: such as the effectiveness of controls in place to mitigate risks, or other risk quantification measures defined by your organization. Those aggregated scores then form the Risk Score for that particular item, which can help prioritize risk mitigation efforts.
Don’t be surprised if these scores change year-over-year or quarter-over-quarter. Between the changing risk landscape and the company’s efforts to mitigate risks, it is common for risk scores to differ from previous years.
5. Gap Analysis and Mitigation Recommendations
Once the organization has thoroughly documented and investigated each risk, there will inevitably be gaps identified where risks are not or are not completely mitigated. Now, you must revisit your risk appetite framework from when you were first scoping your program. The organization’s risk appetite will help inform the level of risk mitigation that should be pursued.
In these cases, the IT Risk Management team should work with other key stakeholders to develop action plans and control recommendations for addressing relevant risks. Often, these action plans will require the input and assistance of technical resources to complete, such as changing a configuration or removing access. Having good relationships with other teams and stakeholders to collaborate effectively can be a secret weapon in the arsenal of risk management teams.
It’s best to be specific when developing a risk mitigation action plan. Designating an accountable person, setting a timeline, and defining the success factors for a risk treatment plan can be the difference between success and failure. If you are having a third party perform a formal risk assessment, they should provide their recommendations and action plans in their report. Leverage your third-party assessors, if you have them!
Based on the Risk Score, overall company strategy, available resources, and other business considerations, the risk team can then make decisions about which control gaps to remediate when, and how. Gap remediation is an ongoing part of the IT Risk Management lifecycle, and practitioners should anticipate that each risk assessment or risk cycle will yield new gaps and new control recommendations.
6. Reporting and Results
As they say in audit, “if it wasn’t documented, it didn’t happen.” The same principle applies to IT Risk Management. Results of risk assessments and other risk-based efforts should be compiled into some kind of report, documentation, or presentation that can be provided to leadership and consumed with relative ease. The goal is to equip management with more knowledge to make quality decisions for the organization, rather than providing an audit opinion or investigative results.
Reports aren’t only for leadership, though. Participants in the IT Risk program should review the results of their findings and assessments, and give some thought to what should be tackled first. Having regular conversation and engagement across stakeholders will improve education and help raise the organization’s risk posture.
Common Risk Management Frameworks
Although we’ve given you a number of resources on how to establish and improve your IT Risk Management program, there are many more resources out there that can help guide your IT Risk journey. Some of them are designed to address internal controls and risk management as a whole, while others are geared specifically toward cybersecurity and take a deep dive into IT controls.
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF): Also known as the NIST RMF, this standard was last updated in 2022 and provides a flexible standard for managing risks. The NIST Cybersecurity Framework or CSF is another great framework geared specifically towards cybersecurity best practices.
- Control Objectives for Information and related Technology (COBIT): Developed by ISACA, COBIT doesn’t address IT Risk specifically, but does provide a framework for IT governance that pairs well with an IT Risk Management program.
- COSO Enterprise Risk Management (ERM) Guidance: COSO’sERM guidance provides resources for an overall ERM program, but parts of the guidance can be leveraged specifically for an ITRM program.
- ISO 31000 Family and ISO 27000 Family: ISO’s31000 family of standards addresses risk management as a whole, while the ISO 27000 family, specifically the ISO 27001 standard focuses specifically on establishing a successful Information Security Management System (ISMS).
- Factor Analysis of Information Risk (FAIR): A quantitative risk analysis model that is typically suited for more mature risk management programs.
Selecting one or more of these frameworks to implement in your organization can augment your information security risk management efforts. Some of these frameworks come with the opportunity to get certified or have an attestation performed, which can demonstrate to stakeholders, customers, vendors, and partners that your business is committed to strong internal controls and IT security. There may also be some overlap in certain frameworks and compliance requirements that can make it easier to comply with one or more frameworks.
Consider ITRM to Get Ahead of IT Risk Events
With the explosion of cyber threats and attackers, and the move to integrate risk programs within organizations, the landscape of risk management continues to grow more complex. Some organizations may already have mature IT Risk Management programs in place, but struggle with the overhead of managing so many moving parts.
Others may just be starting out in their IT Risk Management journey, and need a tool to enable success. In either case, the right technology can unlock the potential of your risk management teams, aggregating and streamlining risk efforts in a core dashboard. With ITRM, you can simplify stakeholder communication, centralize risk projects, and lead the way into the future of risk management.
Tony Luciani is a Senior Manager of Product Solutions at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Manager at Sony Pictures. As a former InfoSec consultant, PCI QSA, and CCSFP Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries. Connect with Tony on LinkedIn.
Will Cryer, CISA, CIPT, is a Senior Manager of Solutions Advisory Services at AuditBoard. Prior to joining AuditBoard, Will spent 9 years with EY in Denver specializing in information technology audits, SOX/ICFR, cybersecurity, privacy, ISO 27001, and SOC Reporting across the FinTech, Technology, and Real Estate industries. Connect with Will on LinkedIn.