Risk-driven information security

computer monitor met beveiliging in beeld

Adopt a risk-based approach to information security.

Taking risks is a natural part of doing business. Risk management forms the basis for decisions and creates a healthy balance between threats and opportunities. Both are necessary to achieve the organizational objectives as well as possible. Risk management in the cybersecurity domain ensures that an organization’s technology, systems and information are protected in the most appropriate way and aligned with the things that are important to your organization. A good approach to risk management is embedded throughout the organization and complements the way you manage other business risks.

Risk management in security

Every organization has to do with risks. Most people are aware of the fact that you simply cannot erase or avoid every risk. It’s all about getting the balance. Risk management is the ideal process that helps make decisions with the right balance between threats and opportunities to best achieve organizational objectives. Risk management in the security domain helps with protecting data (and all concerned systems and technology) in an organization and deploying limited resources where it will have the greatest impact. You can make better decisions through risk management, but for this to happen, it must be embedded in the organisation.

Adopt a risk-based approach to information security.

Risk management in security

What are the advantages of risk management?

Good risk management is about:

the right information to improve decision making;
helping delegate decision-making across the organization while maintaining appropriate board-level oversight;
Providing a foundation to adapt and respond effectively to new threats and opportunities as they arise;
Whether you are new to cyber risk management or are trying to assess the effectiveness of existing approaches, providing an accurate understanding through guidance. In doing so, you get a better picture of what a good approach to risk management looks like in the context of your organization.

What should you do?
Consider the broader context in which you want to manage cyber risk

Think about what your organization does and cares about: what are the business priorities and goals? This may seem like an odd starting point for cybersecurity, but it forms the basis of cyber risk management. Cyber risk management is not separate from what an organization wants to achieve but must support the organizational objectives. Think about the risks you are willing to take to achieve the organizational goals. Based on these risks, you can make decisions about the steps you need to take to manage the cybersecurity risk.

Consider what governance structures are in place to manage business risks

How does managing and communicating about cyber risks fit within those structures? Effective governance is important for good cybersecurity risk management. The reason for this? The actions that an organization takes to limit cybersecurity risks are monitored and controlled. Addressing and managing cybersecurity-related risks should be managed in a way that works for your organization.

Ensure that the organization has an adequate policy

An adequate policy approved and owned by the board of directors – outlining the risk management strategy for the organization as a whole – is a must. Make sure that the board collectively has sufficient knowledge regarding cyber security. This ensures that the board understands how cybersecurity supports overall organizational goals. Provide the board with sufficient information, in a format that is manageable when making decisions.

Understand where cyber risk management should be applied

Think about the range of technology, systems, services and information your organization uses. It is important that different sources of information are used to help identify the scope. For example, you can use asset registers and system diagrams for existing systems. For systems in development, you can start with high-level design. Talking to those who use, manage, or are affected by the systems or services will give you a better understanding of what needs to be protected and why. Don’t forget to include elements that may be beyond your direct control but are still part of the broader risk concerns like the supply chain, use of third-party services and cloud services.

Think about how employees interact with technology, systems and services

How employees deal with the various systems, networks and services within the organization is also something to think about. How are employees supported to do this in a safe and usable way? If you include this in risk management, the cybersecurity risks of the organization are further mitigated. Systems include people, processes and technology: the way cyber risk management is deployed must take into account these different elements and how they interact with each other.

Choose a cybersecurity risk management approach that fits the organization

Consider which approach to cybersecurity risk management, or a mix of approaches, is right for your organization. There are countless tools, methods, frameworks and standards to choose from. This depends on the standards or regulations that are followed within the organization, costs and/or level of knowledge. The most important part? Go for an approach that is right for your organization and that reveals good risk information about the systems and services. It is not always necessary to carry out a detailed risk assessment. Using a baseline such as Cyber Essentials to provide information about the basic controls needed is often enough to protect against most cyber risks.

Do you want to know more about the correct implementation of risk management? One of our experts will be happy to help you on your way!