IT risk management is the process of managing cybersecurity risks through systems, policies, and technology. This process consists of three primary stages - identification, assessment, and control to mitigate vulnerabilities threatening sensitive resources.
The terms IT risk and information risk are often used interchangeably. They both refer to risk that threatens the protection of sensitive data and intellectual property.
Information Technology risks, both inherent and residual, are present in every organization. IT risk management is, therefore, an essential practice for every business.
What is the Difference Between Risk and Uncertainty?
Risk refers to decision-making situations where all potential outcomes, and their likelihood of occurrence, are known. On the other hand, uncertainty refers to decision-making situations where nothing is known - neither their potential outcomes nor their likelihood of occurrence.
A successful IT risk management plan reduces uncertainly and empowers decision-makers to be completely aware of all information risks in their digital landscape.
Why is IT risk Management Important?
An IT risk management program minimizes the impact of data breaches, which could translate to considerable costs savings. The global average cost of a data breach in 2020 was US$3.86 million.
In addition to cost savings, an IT risk management plan has the following benefits:
- It helps organizations increase their resilience to cyberattacks.
- It stabilizes business operators.
- It could decrease legal liability.
- It could reduce insurance premiums.
- It protects staff from potential harm.
- It facilitates the achievement of business objectives and business continuity
Example of a Successful IT Risk Management Plan
The Virginia Mason Medical Center in Seattle, Washington secured their patient safety department with an IT Risk Management plan in 2006. The resulting program was called the Virginia Mason Production System (VMPS).
Since implementing VMPS, Virginia Mason has increased transparency in patient risk mitigation, disclosure, and reporting. This resulted in a significant drop in hospital professional premiums.
The 7 Best IT Risk Management Strategies and Processes
An IT risk management (IRM) framework must account for an evolving threat landscape. As a result, a single set of policies or strategies will not suffice. Because cyberattack tactics are constantly changing, risk management frameworks must be capable of addressing multiple cyber threats through a combination of different control strategies.
When used harmoniously, these strategies should help decision-makers confidently answer the following questions:
- What could go wrong?
- How will this outcome impact the organization?
- How will this outcome impact the achievement of business objectives?
- What can be done to prevent this outcome?
- What can be done to remedy this outcome after it has occurred?
- What are the potential costs of this outcome?
The essential requirement of an IRM program that will help answer the above questions include:
- The ability to continuously monitor the entire attack surface
- The ability to track cybersecurity posture strengthening efforts
- The ability to identify the location of all information
- Remediation management tools capable of prioritizing critical responses
- The ability to evaluate the risk tolerance for all assets
These essential requirements can be met with the following 7 risk management strategies
1. Risk Identification
All risks that could be potentially detrimental to processes and information security must be identified. Digital transformation has made this task exceedingly difficult since most company data is now stored in the cloud.
The inexorable proliferation of digital solutions obfuscates digital footprints making it difficult to identify assets and map their relationship to specific processes. This lack of transparency results in many attack vectors being overlooked, placing cloud-based platforms at a higher risk of cyberattacks.
The first step to unmitigated risk transparency is to identify all of your assets and their locations. This can be achieved through digital footprint mapping.
An attack surface monitoring solution could also identify all of your corporate assets and surface potential risks and vulnerabilities.
2. Identify Risk Levels and the Odds of Each Risk Being Exploited
After identifying all assets and their locations, the level of risk of the data stored in them needs to be quantified.
Not all sensitive data is equal in the eye of a cybercriminal, some categories are more coveted than others.
A study by IBM and Ponemon found that 80% of assessed data breaches involved customer Personal Identifiable Information (PII).
Sensitive data that offers compounding financial returns to cyber criminals are at the highest risk of being targeted. When customer data is stolen, each victim is targeted in phishing attacks. Each phishing campaign then uncovers new victims that can then be targeted in new phishing attacks, extending the pernicious attack cycle.
The level of risk for each data type can then be calculated with a risk formula.
A simple formula for calculating risk levels is as follows:
Risk Level = Likelihood of a data breach X Financial impact of a data breach.
Probability analysis is used to then calculate the potential of each identified risk occurring. This is can be evaluated with a risk matrix.
3. Prioritize Each Identified Information Security Risk
To keep the costs of internal security operations lean, response efforts must be efficiently distributed so that the most critical IT risk are addressed first.
This can only be achieved if critical risks are correctly classified. Though some risk calculations are quite accurate, their evaluation involves a lengthy manual process.
Besides accuracy, speed is another critical variable in IT rIsk analysis because it affects the impact level of a data breach if risks are exploited by cybercriminals.
Victims that respond to data breaches in less than 200 days save an average of $1.12 million.
The idea solution should be capable of correctly classifying security vulnerabilities and prioritizing them for efficient remediation.
The UpGuard platform meets these two requirements. Users can see a list of all unaddressed vulnerabilities (both internally and in the vendor network) ordered by criticality. Each risk can then be rapidly addressed through the platform's remediation management feature.
4. Establish a Risk Appetite
With all IT risk and their likelihood of exploitation known, a risk appetite needs to be established. Risk appetites help organizations decide which control measures should be assigned to each risk factor. There are 5 control options:
- Risk acceptance
- Risk avoidance
- Mitigate risk
- Transfer risk
- Monitor risk
A risk appetite (or risk tolerance) sets the maximum level of risk that can be accepted before mitigation efforts are implemented.
Learn how to calculate the risk appetite for your Third-Party Risk Management program.
5. Mitigate Risks
MIitgation controls should be implemented for each type of risk that surprises the risk threshold. These controls should assess the highest-ranked IT risk first.
These controls should be supported with Incident Response Plans (IRP) to help security teams respond to threats in a timely and controlled manner.
IT risk mitigation controls include:
- Data encryption
- Keeping software updated
- Keeping antivirus updated
- Installing the latest software patches
- Backing up critical data
- Implementing Multi-Factor Authentication (MFA)
- Securing privileged access accounts
- Implementing resilient cybersecurity frameworks
Risk can also be mitigated through a cybersecurity framework. There are many information security risk management frameworks available. The most reputable are listed below.
- COBIT - This framework helps organizations develop an Enterprise RIsk Management (ERM) strategy.
- Essential Eight - This is the recommended cybersecurity framework for all Australian businesses.
- COSO (Committee of Sponsoring Organizations of the Treadway Commission) - This framework facilitates secure network operations.
- Factor Analysis of Information Risk (FAIR) - This framework evaluates the. relationship between different risks and facilitates compliance with international regulations.
6. Transfer IT Risks
In many instances, it's more efficient and less burdensome for internal security teams to transfer critical risks to either an outside party or a cyber insurance entity.
Partnering with data storage, or backup, solutions will transfer and mitigate the risk of service interruption in the event of a data breach. Such a partnership also mitigates the risk of internal threats since employees will not have access to all data resources; and natural disasters because there's little chance that the same environmental damage will occur at two dispersed locations.
7. Monitor IT Risks and Compliance
IT monitoring methodologies should be implemented to track the progression of both mitigated risks and ignored risks within the risk appetite.
An example of an IT risk monitoring control is an attack surface monitor solution capable of scanning both in the internal and third-party network. Such a wide and deep level of transparency keeps organizations aware of the state of each risk, any related risk, and which vulnerabilities surpass the risk appetite.
Monitoring controls should also assess the effectiveness of mitigation controls. Cyberattackers are always adjusting their tactics to evade security defenses and mitigation strategies. A recent example the use of ransom software in a supply chain attack by cybercriminal group REvil.
Security ratings give security teams and stakeholders insight into the security posture of their organization, all of its subsidiaries, and vendors. This feature also instantly confirms the effectiveness of all remediation efforts.
When the immediate feedback functionality of security ratings is combined with attack surface monitoring controls, organizations are confidently aware of the likelihood of a data breach occurring, at any point in their IT environment, at any time.
Cybersecurity KPIs are the biding agents that ensure all IT risk monitoring efforts are supporting overall security objectives. They also facilitate meaningful reports for IT security teams and stakeholders.
Here are 14 important metrics that should be implemented in your IT risk management program.
1. Level of preparedness
2. Unidentified devices on internal networks
3. Intrusion attempts
4. Security incidents
5. Mean Time to Detect (MTTD)
6. Mean Time to Resolve (MTTR)
7. Mean Time to Contain (MTTC)
8. First party security ratings
9. Average vendor security rating
10. Patching cadence
12. Company vs peer performance
13. Vendor patching cadence
14. Mean time for vendors incident response
Learn more about cybersecurity KPIs
Risk Management Process and Standards
The proliferation of data breaches has placed a greater responsibility on organizations to secure their networks and protect customer data. These best security practices are enforced through regulatory compliance.
Industries at the highest risk of cyberattacks, such as financial services and healthcare, are bound to regulatory laws and the security frameworks that facilitate regulatory compliance.
Some examples of regulatory compliance standards are the General Data Protection Regulation (GDPR) for residents in the European Union and CPS 234 for APRA-Regulated organizations.
The chart below demonstrates the top 4 industries being targeted by cybercriminals in Australia. This also reflects global data breach trends.
Industries that are not regulated will still benefit from implementing regulatory frameworks to benefit from their advanced data breach protection controls.
The International Organization for Standardization (ISO) consists of a range of standards to suit all organizations and sectors. The most popular ISO standards for IT security are ISO 27001 and ISO 3100.
The ISO 27001 family offers requirements for data security management systems, and the ISO 3100 family can provide guidance of internal risk audits.
ISO has published over 22,700 standards to meet almost every information security requirement. The video below will provide some guidance on which ISO family is suitable for your business risk requirements.
The National Institue of Standards and Technology (NIST) has
Ensuring vendor compliance with regulatory standards is an essential component IT risk management since third-party breaches account for almost 60% of data breach events.
This can be achieved through risk assessments and security questionnaires. To support the efficient risk management of information systems, vendor security questionnaires should be managed via a security solution such as UpGuard. This will
This will alleviate the logistical nightmare of manually tracking the status of multiple risk assessments in spreadsheets.
The UpGuard platform supports the following security questionnaires:
- CyberRisk Questionnaire: Provides a comprehensive assessment of an organization's security posture, from their policy framework right down to their technical controls.
- ISO 27001 Questionnaire: Assesses an organization's security posture against the ISO 27001 standard with risks mapped against ISO 27001 domains. It is also suitable for the assessment of APRA CPS 234 requirements.
- Short Form Questionnaire: A condensed version of the CyberRisk Questionnaire, designed to be sent to smaller organizations.
- NIST Cybersecurity Framework Questionnaire: Assesses an organization's security posture against the NIST Cybersecurity Framework.
- PCI DSS Questionnaire: assess an organization's adherence to the twelve requirements of PCI DSS.
- California Consumer Privacy Act (CCPA) Questionnaire: Assesses whether a vendor is compliant with the personal information disclosure requirements outlined in CCPA.
- Modern Slavery Questionnaire: designed to identify modern slavery risks, address identified risks, and highlight areas requiring further due diligence.
- Pandemic Questionnaire: designed to help you assess the negative impact of any current or future pandemics.
- Security and Privacy Program Questionnaire: focuses solely on an organization's security and privacy program.
- Web Application Security Questionnaire: focuses solely on an organization's web application security controls.
- Infrastructure Security Questionnaire: focuses solely on an organization's infrastructure security controls.
- Physical and Data Centre Security Questionnaire: focuses solely on an organization's physical and data centre security controls.
- COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
- ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
- ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
- GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
- CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.
- SolarWinds Questionnaire: Designed to help you assess your vendors that may use SolarWinds.
- Kaseya Questionnaire: To help you determine if you or your vendors were exposed to the sophisticated supply chain ransomware attack
For highly specific IT risks assessments UpGuard offers a custom security questionnaire builder. that allows existing questionnaires to be edited or completely custom questionnaires to be created.