3 things to focus on in cybersecurity risk management

The first 3 things to focus on in cybersecurity risk management.

Edit: In case you missed the show, we have a video of it posted at the bottom of this blog post. Enjoy!

 

Listen on Spotify or Apple Podcasts 

 

We’ve been working on a knowledge base of helpful content for the cybersecurity community and one of the open questions we asked was, How do you build a cybersecurity risk management program in this current business environment? If your budget has been cut, but you’re still expected to deliver on high expectations, what are the top, most important things you should focus on?

We decided to take that question and provide some answers (keep reading below). Additionally, we’ve organized a live, Ask Me Anything Q&A session on this topic for July 8. We’ll have our CTO and a few of our engineers ready to provide guidance from their experience, and from the things we’ve learned from all our customers and partners. We thought we’d keep it short (20 mins) so you don’t have to make a big time commitment to pick up some helpful info. If you would like to receive an invite to the 20 minute AMA, click here to register.

So, if you’re building a cybersecurity risk management program, what are the first 3 things you should focus on?

1. Get Buy-in

Let’s define this first. What is “buy-in”? Buy-in refers to having the right people around your company in agreement with the idea of why your risk management program needs to exist.

Why is buy-in important? Big company or small, very few things get built or grow well when they live in a silo. If you don’t have support from others around you, you’ll find it impossible to make it through cyber assessments, for example. You’ll need VPs to communicate why those assessments are so important. And you’ll need team managers, responding to the VPs, to make sure their teams are answering the assessment questionnaires. There are hundreds of other examples like this we could go through. Suffice to say, without Buy-in, you’ve got a steep uphill battle ahead of you.

So, how do you get buy-in? Well, we’ve written an in-depth guide on exactly how to do this, with detailed steps about who should be involved, and tips for getting buy-in from different stakeholders.

For the purposes of this post, let’s narrow the focus a bit. If you’re getting your program off the ground, you’ll need to think about what the most critical needs are for getting started and growing. What are those things? Can you get those things on your own? If not, who would you go to? Those are the first people you need to get Buy-in from. You can use this same line of questioning all the way through your program to figure out who you need to involve next.

An example of something you’ll need buy-in for is your first assessment. We refer to this as your Baseline and it’s covered below as the second item in our list of the 3 top things to focus on.

 

2. Run a Business Impact Analysis

When you’re planning out your program, you’ll need to know where to prioritize your efforts. The only way to know where to focus first is by knowing the state of what’s working and what’s not, or what exists and what doesn’t.

Essentially, what you’re doing here is conducting your first assessment and establishing a baseline to compare future results. You can judge the results as good or bad, but the better thing to do is just take the results as an objective starting point. Look at the data from your business impact analysis, rank each category with a score related to how high/low the risk is for your company, and then start working on a plan for remediations and improvements.

Sometimes, this process of establishing a baseline is easier said than done. For example, there are a ton of assessment frameworks out there. Not all of them will apply to your business. With some of them, you won’t even need to use all the questions. There are online forums and guides that go through this, but the truth is, there’s so much information out there, it can be a little daunting. We routinely help our customers by answering these types of questions, so we decided to write a short guide covering the top 3 mistakes companies make when running their business impact analysis so that hopefully you can avoid them, too.

We’ll also cover this in the live AMA so make sure to tune in.

 

3. Establish a Budget 

The third most important area you’ll want to focus time on when building your risk management program is establishing a budget for running the program.

Admittedly, there is a bit of a “chicken and egg” situation here. Most likely, in order to run your first assessment, you will need a number of funds allocated so you’re able to run a business impact analysis and get your baseline results. Those baseline results are what you’ll need to determine what your budget will be going forward.

Hopefully, since you’ve been hired to run this program, there is some understanding that you’ll need some funds to assess the situation. For this article, we’re going to go off that assumption and we’ll focus on determining what your operational budget should be. If this is not the case for you (no budget at all, even for a first assessment), we’ll discuss this scenario in our live AMA session.

Ok. So, you’ve done your first assessment and have your baseline results. You have a good understanding of where the risks are and what controls are needed. The first step in figuring out what your budget should be going forward is to prioritize the areas that need attention.

How do you figure out which areas need attention first? Start with what’s most important to the business. Your company may have a Chief Information Security Officer (CISO) that has given a strategy to make prioritization decisions simple. If not, find out if your company needs to maintain certain compliance requirements for clients and/or regulatory organizations. If this is a requirement for your business, this is the place to start, because if you’re not in compliance, you’re out of business.

Review the areas where a new control is needed or where a control needs to be updated in order to maintain compliance. Here are the big areas to think through to establish your budget:

  • Think about how long each of those missing control areas will take to complete a remediation (the process of satisfying the control requirement). Think about who will need to be involved (add them to your Buy-In list) and how much of their time will be needed (internal teams as well as vendors/suppliers). Think about any hardware, software, or other materials that need to be purchased to put the control in place.

 

  • Think about managing all of these efforts over the time it will take to meet compliance. You’ll need software to have everyone collaborating in one place, storing documents in a single repository, tracking the process of each initiative, and then turn it all into progress reports and ultimately into compliance reports. Ideally, this would be the same software you use to run assessments in the first place.

 

Need help with a scenario that doesn’t quite fit in the compliance-based approach above? At SecurityGate.io we’re always happy to help with suggestions and guidance – take us up on the offer and chat with us any time. Also, make sure to join and watch our Ask-Me-Anything webinar. We may have mentioned it a time or two above. 😉

These three items for building your risk management program are going to take you some time. Don’t rush, be thorough. There is a lot of ground here to cover but if you take it one small step at a time, you’ll get there.

 

 

 

Brent Gage

After beginning his career as a roustabout on an offshore drilling rig, Brent is now a cybersecurity specialist at SecurityGate.io who performs client consultation and assessments while maintaining and monitoring the platform’s hosting infrastructure.

Share this post

Facebook
Twitter
LinkedIn
Email

Recent Articles

Platform
Learn
About Us

Contact Us