Expert Interview: Security & IT Risk Management Best Practices
There is a certain correlation between a risk and an issue. To put it in simple terms, an issue is the result of a risk being realized. Therefore, risk management plays a vital role in proactively addressing potential cybersecurity problems before they occur. As the graphic below shows, however, many companies do not have a formal IT risk management program in place.
Despite its obvious usefulness, businesses are often unsure whether or how to implement risk management in their normal activities. Questions they struggle to answer may include:
- What risk management program would be appropriate for my business?
- How will it affect my business dealings?
- Who should I turn to for advice on risk management matters?
To help answer these questions, I asked Emilian Papadopoulos, president of the Washington D.C.-based company
Good Harbor Security Risk Management, to share insight into risk management best practices.
1. What does your risk management program include and how is it aligned with the business goals of your clients?
Papadopoulos: The companies with the best cybersecurity programs start with risk management and governance. Management teams first need to discover and prioritize the biggest cyber risks based on their unique business operations, customers, regulators and other stakeholders. The most important risks vary by company, even within the same sector.
Second, management teams need good governance, including an officer who is accountable for cyber security, good reporting to the CEO and/or board, and a whole-of-enterprise effort to get all parts of the business contributing to cybersecurity. Once those fundamentals are in place, the management team can drive cyber security measures like policies and technologies to mitigate the biggest risks.
2. What are your risk management recommendations for businesses of different sizes?
Papadopoulos: Every enterprise is different. For large enterprises, one of the challenges is keeping pace with the evolving threat while “turning the Titanic” in terms of company-wide budgeting, staffing, technologies and processes. Good governance helps.
Change management is also critical, since too many rapid changes can frustrate employees if they do not understand why cybersecurity is important and challenging; good training and awareness activities can help employees develop a culture of cybersecurity that enables rapid change by cybersecurity teams and management.
For small organizations, three of the most useful best practices are:
- Minimizing digital footprint (“do I really need to store that data in the first place?”)
- Getting support from big enterprise customers (if you are a B2B company) who want your cyber security to be successful
- Using outsourcing effectively, for example by contracting with a managed security services provider (MSSP) to monitor networks and respond to incidents
These very informative answers prompted me to draw some inferences. Identifying risks related to a given company is important, but of equal importance is having an excellent team versed in cybersecurity to substantiate security policies in place, among other things. The graphic below supports my observation:
There are specific risks that tend to go hand in hand with businesses of different sizes. While too much occupational labor mobility and non-existent/ineffective cybersecurity training and awareness are large enterprises’ Achilles’ heel, small businesses should consider seeking the help of trusted experts to mitigate security risks.