What to Do After a Security Risk Assessment
As the person responsible for cybersecurity risk, you knew it was time to identify and modify your organization’s overall security posture. So, you did what you had to—you made your plea, got the signoffs, and completed a security risk assessment.
But now that it’s done and you have the insights, how do you enable security, operations, organization management, and other personnel to see from the attacker’s perspective and collaborate to reduce risk?
As with anything in need of change, you need a plan of attack.
Identify how to reduce risk
The first step you should take after getting the results of your security risk assessment is identifying how you will reduce risk. This can be done in four ways:
1. Avoid – eliminate the exposure to the risk all together by changing the infrastructure
2. Mitigate – put controls in place to minimize the risk (e.g., security awareness, patching, technology adoption, access control, etc.)
3. Transfer – place responsibility for the risk onto someone else (e.g., an insurance company)
4. Accept – your organization decides it can handle the consequences if the risk occurs
To simplify, consider these options in regards to driving—another risky business. Each time we get into our cars we are at risk of having an accident, incurring repair costs, and amassing medical bills. So how would we reduce the risks?
- If we live close enough to where we’re going, we can avoid the risk all together and walk.
We can take the bus and transfer responsibility onto the bus company.
We can mitigate the risk by making sure we have good tires and good brakes, wear our glasses, and not be distracted by our phones.
Even if we mitigate the risk, there will still be some residual risk that remains; we simply cannot control other drivers. However, because the advantages of driving outweigh the risks, most of us accept that risk every day.
Prioritize your mitigation plan
Once you’ve identified the risks that you have transferred and those that can be avoided, you can begin to create a plan to either accept or mitigate the remaining risks based on the risk rating of each risk (Critical, High, Medium, Low). Using the categorization, you can then begin prioritizing your plan of action.
If you get caught at this stage, remember – it’s not all or nothing, and it’s not now or never. Don’t ignore risks you aren’t able to mitigate now; make a plan for mitigation. Mitigating some risks now reduces your overall risk at this point in time. Planning to mitigate more risks in the future will see that you continue to reduce risk over time.
Start with Critical and High risks (with no risk acceptance).
Medium risks should be reviewed to determine whether to mitigate or accept. You should only choose to accept the risk if very low impact and likelihood.
Next review Lows for quick wins. Only mitigate these risks if it will not take away from resources needed to reduce larger risks.
When is accepting risk acceptable?
If you can’t avoid, mitigate, or transfer the risk, you’ll have no choice but to accept it. It needs to be understood that risk acceptance should not be permanent. All acceptance of risk must be done knowing that at some point, the risk will need to be addressed. Do not allow politics and/or company culture determine whether or not to accept risk.
Don’t forget to document
All instances of risk acceptance should be documented (usually with a Risk Acceptance Form). The form should detail:
1. What compensating controls are in place to reduce the likelihood of the risk occurring.
2. What the plan is to mitigate the risk in the future.
Because leaders and stakeholders must agree that your company can survive the consequences of accepting the risk, the form should be signed by those who have approved acceptance of the risk. The Risk Acceptance Form should be reviewed with regularity to continually determine if the risk can be mitigated, transferred, or avoided. If the risk must still be accepted, the form must again be signed and dated. This forces someone to ultimately be accountable for the risk and the damage it may do to the business.
Lastly, you want to make sure that you maintain documentation. Everything in your risk management plan should be documented: risks, how you choose to address each risk, who is responsible/accountable/consulted/informed, and important dates like benchmarks and deadlines. As with the Risk Acceptance Form, your risk management plan should also be reviewed with regularity to make sure that you are still on target to meet your goals.
The good news is, if you’re diligent with your risk management plan, over time you’ll begin to see your organization’s security posture improve. Still feeling uneasy about putting a risk management plan in place on your own? Read our blog, 10 Reasons a vCISO May be a Good Choice for Your Company.