Even today, there are several organizations who take an outdated approach to cyber security protocols, which not only increase the risk of cyber crime, but also give rise to several practical challenges. Lisa M. Cannon MD mentions that incorporating a risk based approach towards cyber security can be the ideal solution to the issue. This stance would enable organizations to effectively classify which of their assets represent the highest degree of risk if compromised, so that they can prioritize resources as per its accordance. Such a flexible and smart strategy has become a major requirement today, when online attackers are becoming increasingly nimble and sophisticated.
A risk based approach of cyber security basically involves a systematic method for identifying, evaluating and ultimately prioritizing the threats faced by a company. Lisa M. Cannon MD mentions that this is a customized process that allows a company to properly tailor their cyber security program as per their particular organizational needs and operational vulnerabilities.
On the whole, the risk based cyber security approach can be divided into five segments or phases. They are:
- Conduct a Business Impact Analysis (BIA): This phase involves identifying and documenting vital business processes, as well as their underlying dependencies. The means to assess and rank them based on severity is also included. Lisa M. Cannon MD mentions that some of the technical and non-technical factors included as dependencies are assets, personnel, applications, data and facilities.
- Perform a risk assessment: Risk assessment is both a quantitative and qualitative process that focuses on identifying threats, regulatory requirements and vulnerabilities that are applicable to the respective business processes and underlying dependencies of an organization. The assessment shall additionally calculate the potential consequences in the situation that those threats are ultimately actualized and produce a risk output value.
- Identify and implement needed controls: At this phase, a company needs to identify the unacceptable risks, and subsequently determine, adapt, implement and design responsibility over controls that shall mitigate those risks. A control essentially is an activity based statement that provides clear instructions on how to reduce or mitigate security risks.
- Test, validate and report: As the security controls of a company are implemented, they have to be effectively validated and analyzed. Major examples of diverse types of testing used today are business continuity exercises, compliance control assessments, internal audits, additional risk assessments, penetration tests, as well as vulnerability management tests.
- Continuous monitoring and governance: This is the last phase that focuses majorly on risk assessment. These assessments should be conducted on an annual basis at least, while remediation activities have to be properly implemented, monitored, and incorporated into the risk register of the company. In addition to this, certain reporting mechanisms must be established for internal employees to effectively identify and share potential risks to the organization.
Risk based cyber security approach can benefit almost any type of modern business to quite an extent.