Running a cybersecurity program without a cybersecurity risk assessment is like sailing a ship through rocky waters without a map or lighthouse. You are not likely to successfully navigate the perilous situation without knowing where the threats are!
The cybersecurity risk assessment is like a map, personalized to your business, that identifies all of the cybersecurity dangers your company faces. Create a great map and use it to chart your course and you will find your way to safety. Create a weak map, or let a good map go unused, and your ship is much more likely to sink.
What is a cybersecurity risk assessment?
A cybersecurity risk assessment is the process of identifying, assessing, and prioritizing information security risks to an organization. The final product of the process is a risk assessment report, which can be used to guide risk treatment.
The definition is still a bit confusing, let’s break it down a bit further.
A risk is defined as the possibility of loss or injury.
In business terms, it is an organization’s exposure to a threat that may result in unexpected loss. Loss is bad – too many or a large enough loss from any risks can put a business under. As such, it is critical for organizations to understand what their risks are so they can work to minimize or avoid them. This is done through a risk assessment.
A risk assessment is the process of identifying each of an organization’s risks, and assessing the likelihood and impact of each risk.
The severity of each specific risk is calculated with an equation: risk = likelihood x impact.
Cybersecurity risk assessments commonly assign these values with qualitative labels like “low” or “high.” A better approach is the quantitative risk assessment, which calculates severity using quantified numerical values – we’ll cover this approach shortly.
There are many types of risks that a business needs to consider such as compliance, financial, and cybersecurity risks. This guide focuses on cybersecurity risk.
Why do you need a cybersecurity risk assessment?
Cybersecurity risk assessments are a necessary part of any developing cybersecurity program. Leadership uses the report to manage risk – deciding which ones to mitigate, avoid, transfer, or accept. Ultimately, this guides the organization’s security into a much better state.
It used to be that only large enterprises would need cybersecurity programs with detailed risk assessments, but that’s changing. Cyber attacks are on the rise, even small and midsize companies are not off the radar for attackers anymore. But why? Virtually everything is virtual now. Think about your office now compared to the one you had 20 years ago – you had a physical desk, you had to lock your filing cabinets which held your payroll, employee information, proprietary knowledge, etc. You maybe had physical security guards and cameras around the premises.
Now, your office location has some chairs, desks and an internet connection. You log onto your laptop onto a virtual machine to your company’s portal. Your filing cabinets are gone, all of your information is stored in the cloud. The cash you used to carry in your pocket for lunch is gone, replaced by Apple Pay and Venmo. You never see your receipt – it is sent to your email.
This makes cybersecurity risk one of the biggest areas of concern to any size business from the enterprise to solo practitioner level. Most, if not all, of an organization’s assets can be lost or stolen via virtual methods. Information security has now become critical for the ongoing continuity of any business. This is where a cybersecurity risk assessment can help.
A cybersecurity risk assessment can provide a platform which allows a business to use a risk based approach to manage its cybersecurity program. It identifies the specific risks to an organization’s environment so they can prioritize the most critical threats to address.
Compliance is another reason for an organization to conduct a risk assessment. Potential customers are increasingly asking for organizations to have compliance certifications such as SOC 2 or ISO 27001. Cybersecurity risk assessments are a requirement for all cybersecurity related compliance programs. (At least I haven’t seen one without it yet!)
Risk assessments are also a way to help further cybersecurity controls in an organization. Risk assessments put cybersecurity risks in a format that can be presented to upper management to gain their support for cybersecurity initiatives.
Who’s in charge of running cybersecurity risk assessments?
C-level technology roles (CTO, CISO) are usually responsible for the cybersecurity risk assessment. They are almost always assisted by members of a technical, security, or compliance team who conduct the work and pass it onto the executive for final review and approval.
However, that’s not the only way a risk assessment can be conducted. Smaller organizations without a dedicated team may leave the CTO or IT manager to perform a risk assessment on their own or with minimal help. An organization’s size and structure is generally the factor which drives these decisions.
Risk assessments can also be performed by an external party.
Smaller companies or organizations who lack the internal resources can look to this option to conduct their cybersecurity risk assessments for them. Larger organizations may also choose this method because it provides an additional layer of objectivity and may provide additional insights that might be missed coming from an cybersecurity examination.
Compliance/cybersecurity software is also becoming increasingly available which can be used to manage the risk assessment process.
Benefits of a Quantitative Cybersecurity Risk Assessment
Any cybersecurity risk assessment is going to add value to an organization, however, not all risk assessments are created equal. The method a risk assessment is conducted can make a big difference in the level of value added to an organization. So what are the ways, and how do you choose which way to implement a cybersecurity risk assessment?
There are two types of risk assessment methods: qualitative and quantitative.
- Qualitative is more subjective and uses expert opinions or judgements to evaluate risks
- Quantitative is more objective and uses data such as numbers and statistics for risk evaluation
Currently, most cybersecurity assessments are qualitative. When a qualitative risk assessment is complete, risks are identified and categorized as high, medium, and low. This method provides a prioritized view of risks that can then be used for technical and operational cybersecurity risk reduction.
This method does have some shortfalls though.
Cybersecurity risk reduction is tedious, inconvenient, often difficult to implement. Between initial implementation and continuous operation, it can be expensive to adequately secure an organization’s environment, so it can be hard for the cybersecurity owner to get the support they need from business leaders to implement their initiatives.
Many business leaders don’t understand the magnitude and impact a cybersecurity incident can have on their business and don’t want to spend the dollars on something that they don’t see as a big risk. “High”, “medium”, and “low” doesn’t give an organization’s decision makers the information they need to justify spending on cybersecurity initiatives. This is where the second method of risk assessment comes into play.
A quantitative cybersecurity risk assessment assesses risk in a language decision makers can digest. It provides business context to the risks by mapping an organization’s cybersecurity risks to dollar values.
For example, three example risks could be calculated as such:
Risk 1: 5% chance of a $3 million loss. Expected loss: $150,000.
Risk 2: 15% chance of a $1 million loss. Expected loss: $150,000.
Risk 3: 25% chance of a $100,000 loss. Expected loss: $25,000.
This quantitative approach of risks gives business leaders firm numbers to drive risk treatments. In this example, Risks 1 and 2 should be prioritized above Risk 3 because there is a larger expected loss!
Does SOC 2 Need a security risk assessment?
Yes, you need a cybersecurity risk assessment to get a SOC 2. SOC 2 has an entire control set (CC3) dedicated to risk assessments. It places a lot of emphasis on having a good risk assessment to be compliant!
Specifically, this control set requires an organization to have a risk assessment program and has a subset of requirements that must be included in the program. They specific requirements are listed as such:
- CC3.1: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- CC3.3: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- CC3.4: The entity identifies and assesses changes that could significantly impact the system of internal control.”
SOC 2 is not alone in requiring a good risk assessment for compliance.
ISO 27001 risk assessments
The ISO 27001 certification does require a cybersecurity risk assessment. It also requires that there is a risk treatment process in place for risks identified in the risk assessment. It specifically calls out that a certified organization addresses these processes from the planning and operational aspects.
ISO 27001’s specific risk assessment requirements are:
- Risk assessment process requirement – Organizations are required to have a risk assessment policy and process in place
- A process for treating the risks identified in the risk assessment is required
- Integration of risk assessment and risk treatment into an organization’s Information security objectives planning is required
- The risk assessment is carried out according to the process
- The risk treatment: requires organizations to create a treatment plan according to the process for the most critical or unacceptable risks identified in the risk assessment
- Documentation of the results of both must also be kept
How to perform a cybersecurity risk assessment?
Cybersecurity risk assessments are complex projects that require a lot of knowledge about cybersecurity threats and in-depth knowledge of an organization. Every organization’s cybersecurity risk assessment will look different, but there are general steps that should be followed. These apply to both qualitative and quantitative methodologies:
- Identify all critical systems, sensitive data, and sensitive data sources.
- Identify potential threats to critical systems and data.
- Identify sources of potential threats (ex. Privileged insider, hacktivist group, cyber gangs.)
- Evaluate current cybersecurity controls.
- Estimate the likelihood a threat turns into a successful attack.
- Determine probable impact of the attack on the organization.
- Calculate risk. (Remember: Risk = Likelihood x Impact).
- Prioritize risks for remediation.
- Conduct periodic reviews.
- We recommend annual risk assessment reviews and upon any significant changes to the organization that would impact the risk profile.
It’s dangerous to go alone.
Admittedly, good cybersecurity practice will help reduce the risk your business is compromised by a cyber attack – whether or not you’ve completed a risk assessment. However, there is a very good reason that every cybersecurity compliance framework wants you to have one: good risk assessments with appropriate risk treatment improve the cybersecurity posture of every single company they touch.
Don’t sail blind!
If you’d like an external party to help with your risk assessment, you can consider Fractional CISO’s Quantishield Quantitative Cybersecurity Risk Assessment service.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.