Managing Risk Appetite as a Cybersecurity Professional

-

One of the questions I am asked the most from my mentees is how to manage risks in their company without taking it personally. 


Listen, I get it. It's hard to take pride in something you do and then not think it's your fault when a recommendation you've made was rejected or even ignored. Mostly, these business decisions aren't a means to state that the work you've done was invaluable, it just means that the organization evaluates risk differently than you. Their appetite for risk, which usually is mitigated with spend, is greater than yours. 


Let's say you identified, what you think, is a critical risk to the business. A hypothetical example would be preventing data leakage from insider threats. You've spent several hours looking over the risk scenarios, mapped out where your gaps are, performed a probability/impact and a cost analysis and know what a solution will cost. However, you are unclear on what the cost of this risk being a reality is. You identified that you have some controls in place, but not enough to effectively reduce this risk to an acceptable level, that is your acceptable level - as an information security professional that level is usually when a control is and takes the risk as close to zero as it can (remember though, risk will never be at zero; which we call residual risk). 


In this case, you need:


A well-defined data classification policy and procedure and all your data classified accordingly.

A tool in place to monitor all traffic for any information that you classify as sensitive and automatically block transfer of such data. 


In a perfect world, this would be the outcome. However, for some smaller organizations it is unlikely to have this recommendation accepted. It's not because this idea doesn't make sense or is silly - there is a lot of work involved to comb through all the data the company may have, classify it all and then potentially spend thousands of dollars on a solution to monitor against the policy and procedures. Additionally, the resources that it would take to classify and continue to keep this program updated would be tireless. Finally, there is the cost factor. Decision makers must take account for the likelihood of a risk becoming a reality, what the damage would be and what the TCO (total cost of ownership) of the new solution is. Sometimes, it's not worth the risk. 


So, while this recommendation may not have been accepted, we, as information security professionals, need to adjust our thinking strategy and come up with an acceptable solution. 


Perhaps it is defining a policy for all new data and grandfathering the old.

Perhaps it's not blocking all traffic based on a defined policy. 

Perhaps it's a solution to provide visibility only.


It may not be the end state we hope or dream for, but its reduction of risk that the business might be willing to consider. 


When I first entered the information security domain, I took a lot of pride in the efforts and research I've done to evaluate risks and their mitigating controls. Often, those mitigation strategies either partially, or never, came to fruition. Sometimes it did feel that I was doing this alone. It took me some time, but I eventually realized that it wasn't my job, as an information security professional, to reduce all risks to information security to my acceptable levels. It was my job to properly discover, analyze, and propose recommendations to my superiors. Give them all they need to make an informed decision. Unless you're in an executive seat, risk doesn't fall to you. You are not ultimately responsible for risks for your organization. Further, the accountability of all risks lies with your organization's board. 


Those who are responsible for overseeing and mitigating risks will make decisions based on several factors including: 


cost

resources 

time to deliver; and 

risk appetite 


Their decisions aren't a means to say you haven't done your job. If they can make informed decisions, with accurate and timely data, I would say you've done your job perfectly.



Comments

Post a Comment

Popular posts from this blog

Certified in Cybersecurity (CC) Exam Review

-
On February 13, 2024 - I sat on the ISC2 Certified in Cybersecurity (CC) exam for one purpose: To tell you what I thought of it! First, I must mention, I took advantage of the free exam voucher ISC2 gave away last year. And to those who thought they missed out, don't worry. ISC2 is offering this exam voucher, along with self-paced training for free ! This is part of ISC2's mission to certify approximately one million cybersecurity professionals and break the cybersecurity workforce gap. The exam is 100 questions (it is not a CAT exam, like the CISSP, which I wrote in 2018 - so you can expect to see all 100) and they give you 2 hours to complete it. While I only needed 20 minutes to complete the exam, it was more than enough time for me to provide my assessment.  So what are my thoughts? • Generally the content was good and scratched the surface on the cybersecurity principles • Felt like a lightweight version of the CISSP • Of 100 questions, there were some duplicated eff...
Read more