Information Security Risk Management: How to Get it Right

Philip Robinson by   08.21.2018   Data Security

Being the one in charge of Information Security Risk Management (ISRM) can be a stressful, chaotic and ever evolving job. The rate that sensitive information is being created within most organizations and the rapidly changing nature of threats, means that cybersecurity strategies often cannot keep up. The challenges you may have to face on a day-to-day basis will be hugely varied, and it may often seem like the world is against you.

Having a well thought-out and detailed ISRM plan will help to alleviate some of these concerns and enable you to take a simple step-by-step approach to securing your IT environment. You will be able to easily see where your vulnerabilities are, what threats you are most susceptible to, take action to mitigate risks and ensure you are ready for worst case scenarios.

If this sounds like something you want to be able to implement in your environment, then we have created this blog to go through some of the details of how to make sure your ISRM plan is rock solid.

What is Information Security Risk Management?

In a nutshell, ISRM is the process by which information is protected by identifying threats and mitigating risks. This can be further defined by first identifying all the potential risks and threats that you are facing and secondly by determining what actions you can take to ensure you are prepared for all scenarios involving those risks.

There are numerous frameworks that can help you better define what your ISRM plan should look like, one of which being the NIST framework. I won’t go into detail in this blog what the NIST framework consists of, as the NIST website itself is able to go into far more detail. However, essentially is comes down to five key points; identify, protect, detect, respond and recover.

What Does a Good ISRM Strategy Look Like?

The actual ISRM strategy you adopt will be individual to you and it’s not really possible to simply copy what another organization is doing. So, how will you know if your ISRM strategy is working? The best way to know if you’ve got a good ISRM strategy is by looking at the results, not at the strategy itself. Ask yourself some key questions and if the answers are positive, you’re on the right track.

An example of the kind of questions you should be asking are:

  • Am I able to detect and react to risks in my IT environment?
  • Am I able to determine which risks are the most pressing and which are not important?
  • Do I have a way of ensuring that our ISRM strategy continues to function as the organization grows/evolves?

If the answer to all of these questions is yes, then you’re on the right track.

How to Get Started

In our experience, getting started on your ISRM strategy means breaking the process down into four manageable stages; assessment, planning, measuring success and maintenance.

Assessment

Before you can even begin to think of what steps you’re going to take to better secure your data and systems, you need to know the current state of your cybersecurity. What do you currently have in place to secure your sensitive data? What are you currently using to track user behaviour and govern access? How regularly are your employees trained on the latest cybersecurity threats, such as phishing attacks? How much are you currently spending on cybersecurity?

These are the kinds of questions you need to ask yourself in order to build up a full assessment of where you are vulnerable, what threats you are most vulnerable to and what kind of measures you are going to be able to afford. You’ll find that during this stage you will learn a significant amount about what you are going to need to do to build an effective ISRM strategy.

Planning

This stage requires just as much attention at the first, if not more. Go through every inch of your assessment and lay out a plan for how you are going to identify, protect, detect respond and recover from each vulnerability and threat you discovered.

Make sure you clearly define your goals, objectives, deadlines and daily actions you will need to take to execute the plan effectively. Make sure you know who is going to be involved in helping to execute the plan and find out what training they will need, if any. One very important thing is to ensure that you have enough people involved so as to keep the plan running consistently. It’s going to take a lot of manpower.

Where do you want your organization to be (in terms of cybersecurity posture) in one year, two years, five years? Make sure you have these goals and your key metrics clearly defined so that it is easier to measure your success.

Measuring Success

If you have clearly defined your goals and key metrics in the planning phase, then the measuring success phase becomes infinitely easier. If you are hitting your own personal goals (KPIs) and organizational goals in the given timeframes then you have succeeded, for now.

I also advise that you take a look at some of the industry standards, such as those shared by the ISO, as a guide to where your organization sits in relation to the rest of the market.

Maintenance

All five stages of the ISRM should be revisited and repeated at regular intervals. This is not a one-off exercise, it is a continuous effort and one that will require proactivity and focus. Cybersecurity threats evolve rapidly, as does the way your organization operates. That means that your ISRM strategy will also have to evolve if it is going to be able to keep up.

If you need help in detecting and responding to threats in your IT environment, then it is worth taking a look at the cybersecurity solution we offer. LepideAuditor will enable you to detect, alert and react to potential cybersecurity threats through continuous and proactive auditing of user interaction with sensitive data and the surrounding systems.