How to Measure Cybersecurity Risk: The Secret to Getting the Maximum Value From a Risk Assessment
At LMG Security, we conduct a lot of cybersecurity risk assessments, and they don’t all look the same – one of the big differences between assessments is how we measure cybersecurity risk. Some clients engage us to identify their top cybersecurity risks to help them plan and prioritize risk reduction activities. Others require annual or periodic risk assessment to meet compliance obligations, such as HIPAA or financial industry regulations. Others may focus on a specific threat, application, business area, data type, or implementation of a new SaaS solution. Understanding how to measure cybersecurity risk and scope your assessment to get the right information, is the first step to ensure you get the maximum return on your investment.
In general, risk assessment involves identifying what you need to protect (i.e., sensitive data, critical systems) and the vulnerabilities and threats associated with those assets. Vulnerabilities and threats are then assessed for the likelihood and the potential impact of an exploit, taking into account existing security controls (technical or non-technical) that can mitigate or lower your risk.
This blog offers ideas and considerations on planning the scope of your cybersecurity risk assessment to maximize value for your organization and support the overarching goal of risk reduction. I will also share some trends we’re seeing in cybersecurity risk assessment, such as intentionally limiting the scope to a specific high-value asset or sensitive data or choosing to dig into a specific threat an organization is worried about. Then in a follow-on post later this month, I will offer some thoughts on planning ahead to make your assessment results actionable.
How to Measure Cybersecurity Risk
It’s easy to assume that a cybersecurity risk assessment by nature must be comprehensive to include all possible threats, assets, and risks, but it doesn’t! To get the most value from your assessment and meet your organizational concerns and goals, it can be beneficial to define your scope carefully up front. How to measure cybersecurity risk will change based on your organization’s needs. A broad scope may make sense in some cases, but consider it may come at the cost of added complexity, timeline, and resource usage. Intentionally limiting or targeting your scope can add speed and efficiency while maximizing value in terms of identifying opportunities to reduce risk. How to measure cybersecurity risk depends on your goals, budgets, and timelines. Let’s look at some ways you can customize your risk assessment so you get the most bang for your buck.
The Secret is to Properly Define Your Scope
One size does not fit all when you are scoping a cyber risk assessment. Most organizations don’t realize that spending more time on this initial part of the engagement can help maximize their ROI. Here are some best practices for planning the scope of your assessment and tips to determining if a targeted scope may fit your needs:
- Focus on potential for high impact: Are your organization’s “crown jewels” housed primarily in a specific application or accessed by one department? If so, consider a targeted risk assessment on a specific application or sensitive data type to focus on threats and vulnerabilities most applicable to those areas. By choosing to scope your assessment this way, you are focusing on how to measure cybersecurity risk in an area with the highest potential impact in the event of a security incident. This approach fits with risk-based planning, by explicitly deciding that other applications or data present lower risk to your organization and therefore do not justify the same level of focus as your higher-stakes assets.
- Focus on high likelihood: Considering every possible threat scenario is time-consuming and may not provide much actionable value for the threats that seem like a low likelihood for your environment. It’s ok to focus on a single threat your organization has experienced or is concerned about or decide to focus on a handful you think are most likely.
- Review your organization’s history of incidents. Did most of them start with phishing? Or do your users consistently perform poorly on phishing tests? If so, use that knowledge to put phishing on your short list of top threats.
- Consider most common threats. Many organizations continue to ask us about ransomware as a primary threat. We see so much client interest specifically in ransomware that we built a ransomware risk assessment service to focus on ransomware risk factors and risk reduction strategies, as described in a previous blog. If you know up front that ransomware (or a different threat) is of top concern to your organization, it makes good sense to focus your efforts on it.
- Focus on vulnerabilities: If your organization keeps a risk register or Plan of Action and Milestones (POA&M), or if you’ve recently done an audit or controls gap assessment (internal or through a third-party), consider using those existing repositories as the basis for your risk assessment. The idea here is to focus on identified gaps and weaknesses to determine the risk level they present for your environment. This can help with prioritization of risk treatment activities and budget/resource allocation.
- Tip – if you have an existing repository to work from, simply add columns or fields for likelihood, impact, risk rating, and any relevant notes on how the ratings were selected, like data sensitivity considerations, system criticality, or compensating controls. There’s no value in reinventing the wheel if you can leverage an existing spreadsheet or other repository.
- Focus on change: LMG Security is often asked to assess risk related to a specific SaaS solution being considered for use by the client. My colleague Ben Kast wrote a great blog last month on how to approach security assessment for a SaaS solution. This approach can be used for applications you are already using or as part of your security review processes related to acquisitions, vendor vetting, or change management.
After you nail down how to measure cybersecurity risk to meet your organization’s needs, another area that deserves some thought and planning in advance is how to make your assessment results actionable to support cybersecurity risk reduction. Read my other blog, “How to Ensure Your Cybersecurity Risk Assessment Results are Actionable,” for more planning tips!
Also take a look at my previous blog on what to do after your risk assessment for guidance on using your risk assessment results to prioritize and plan your risk treatment activities. Thinking ahead to what you will do with the results can be hugely helpful in planning your assessment scope, approach, structure, and outputs.
Would you like advice or support assessing risk to your sensitive data and critical systems? LMG Security’s experienced consultants can work through this process with you to scope a risk assessment to best suit your organizational goals and needs. Contact us for more information.