I have learned over my time working in the cybersecurity space that for many people and business leaders there is a lot of confusion between risk assessment and risk management. Very often the performance of cumulative risk assessments is mistakenly described as risk management. This is particularly common when talking about vendor risk management.
In the most basic of terms, a risk assessment is a one-time exercise. It can take on various forms and cover different time periods but effectively it is a standalone exercise and only provides a snapshot of what risks you have at a given point in time. It can also be mapped to a particular cybersecurity framework, such as SOC 2 or HITRUST, so you can see how you are performing, at the moment, against that standard or regulation. Most commonly, a risk assessment takes the form of a questionnaire where answers are submitted about the current status of various security controls.
Risk management, on the other hand, is the continuous process of tracking risk from multiple risk sources, including risk assessments, and then addressing gaps between your current risk profile and your target risk profile. The risk management process starts by identifying the types of risks that are important to your business and then applying those risks to risk items such as people, organizations, facilities, or assets.
Every successful journey requires a destination, and so an organization must define what success is, by documenting what is an acceptable risk. The risk management process continually tracks, manages, and mitigates risk until the desired risk state is achieved. Even then, since we operate in a dynamic environment, risk monitoring must be continuous as both risk posture and/or risk objectives are always subject to change.
Calculating risk is as much art, as it is science. Common practice is to assign a criticality status to risk items such as assets. Criticality defines how important that asset is to the business. Risk is usually calculated by estimating the likelihood of a risk event occurring against the impact that event might have. The resulting risk score can then be applied to risk items. For example, if we take a natural risk event such as a hurricane, we can estimate how likely it is for such an event to occur, and then what impact such an event might have should it occur. Clearly, there's a lot of subjectivity that can be affected by the bias and/or risk tolerance of the person making the estimate. In addition, the estimate will also vary based on the attributes of the asset itself, for example, criticality and location.
Because of this level of subjectivity, individual risk scores carry little weight. But as we build up a risk profile, i.e. add multiple risk items to a risk, and multiple risks to a risk item, we get to see a high-level picture of current risk and can start to measure the distance between current risk and target risk.
There are many things we can do to reduce risk. These are called risk mitigations. Taking again the example above of a hurricane, perhaps we have applied this to a data center, or all the assets within that data center. All of which would likely be classified as critical items for the continuation of service.
Let’s assume that the data center is in a location known for frequent and severe hurricanes. Clearly, the likelihood of an event would be very high, and the potential impact could be catastrophic. There is little we can do to impact the likelihood of a weather event, but if we were to reinforce the physical resiliency of the facility and add backup generators we could potentially reduce the impact. Additionally, if we built a redundant failover site in another part of the country perhaps we could reduce the impact or service disruption to minimal.
All of these steps would be considered mitigations and if implemented appropriately would help reduce the risk of an adverse weather event impacting service. The objective then would be to continue to add mitigations until the target risk has been achieved.
They are both important. In order to be able to manage risk, we need to understand what it is and so Risk Assessments are a critical component of Risk Management, not just initially but throughout the process. But it is critical we don't stop at the assessment stage as knowledge is only truly valuable when you act on it.
Within the Ostendio platform, there is an Assessments module, which can be used to conduct various types of Risk Assessment. The module allows for template assessments to be created in line with over 100 standards and regulations, or custom assessments can be created. Assessments can be conducted internally or sent for completion to third parties such as vendors, where individual assessment questions can be weighted and scored to provide an overall assessment score.
The platform also has a dedicated Risk Management module that allows for all risk types to be created, risk items to be associated with risks, and risk mitigation assigned and tracked. Risks and risk items can be viewed in a risk register, individually or in the aggregate, and progress can be measured between Initial Risk, Current Risk, and Target Risk.
These questions can be challenging to answer. As business leaders, we do not want to think about the likeliness of a risk coming to fruition. And certainly not thinking about how bad it could be! But thinking about these questions, and trying to find solutions as a Chief Information Security Officer, started the road that led to the creation of Ostendio. Even more importantly – this risk management thinking led to the development of the Ostendio platform.
Ready to see how Ostendio can guide you through the process of building a complete Security and Risk Management program? Explore our platform overview and then contact us for a demo today at info@ostendio.com.