Vendor Risk Management

How to Introduce Information Security Risk Assessment Methodology

Melissa Stevens | July 21, 2016

Today, performing information security risk analysis is an accepted part of managing any business, and it’s something most CEOs and board members take very seriously. They don’t just want to “check a box” for information risk management—they understand that their ability to manage risk adequately is a fundamental part of their long-term success. What’s more, they want to meet the standards of care that similarly-situated, like-minded organizations are meeting. 

Looking to streamline your vendor risk management process? Take a look at these tools and techniques.

Whether you’re the CISO, security manager, or anyone else in management, it’s critical that you can clearly communicate how you approach information security throughout your organization. The best way to do this is by creating an IT risk assessment methodology. You can create this methodology through these best practices:

Common Information Security Risk Assessment
Methodology

Threats, vulnerabilities, consequences, and
securitylikelihood make up the essential pieces you need to review as part of your IT security risk methodology.

  • Threats: Threats can be posed to your organization by a variety of bad actors. In a cybersecurity context, bad actors can range from nation states, organized criminal syndicates, random hackers, hacktivists, business competitors, insiders, and more.
  • Vulnerabilities: Vulnerabilities on your network can be exploited, which could allow a threat actor the means or capability to achieve whatever bad thing they have in mind. There are many different kinds of possible vulnerabilities, including:
    • Software vulnerabilities.
    • Hardware vulnerabilities.
    • Vulnerabilities in the supply chain.
    • Weaknesses in your hiring, HR, or onboarding process.
    • Weaknesses in your training methodology, and more.
  • Consequences: The list of consequences your organization could face without the proper information security risk assessment methodology in place can range from small annoyances to potentially catastrophic events. You’ll want to consider the following:
    • How do I value the data, systems, or assets that I own?
    • What proprietary information about or from my company could be stolen or compromised (like trade secrets, intellectual property, loss of network uptime, etc.)?
    • What are the most serious consequences that can arise from a cybersecurity incident?
  • Likelihood: What is the chance of a security incident happening in your organization? This is the final (and tricky) piece of the information security risk assessment methodology to understand. You may have to examine if you’re in an industry that is particularly targeted or if the value of your data has particular significance to a group of bad actors.

Qualitative & Quantitative Approaches To Information Security Risk Analysis

If you’re a practitioner in a company and need to create this methodology, then you need to know what the inputs are and where you get your data from. There are two primary methods of doing risk assessments: quantitative and qualitative.

  • Quantitative approach: There are many ways to assess risk quantitatively. You could:
    • Calculate the number of software vulnerabilities you have.
    • Calculate the number of critical third party vendors who have access to your data.
    • Calculate the time it takes you to identify remediate issues on your network.
  • Qualitative approach: While quantitative risk assessments are important, you can’t always put a hard number on loss. For example, you may know that there are bad actors targeting your industries, but you don’t necessarily know who is targeting you and how much risk they hold.

In Summary

Examining threats, vulnerabilities, consequences, and likelihood—the essential pieces of your IT security risk methodology—and looking at both qualitative and quantitative approaches to risk assessments are critical to your overall cybersecurity strategy.

Doing so will not only help you better articulate to your organization what you’re currently doing, but it will also help you realize what you aren’t (and should be) doing to reduce information security risk.

security-managers-guide-to-VRM

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.