Cybersecurity Risk Management Best Practices

In today’s fast-paced business environment, IT modernization and digital transformation are strategic imperatives for any business that wants to maintain a competitive edge. The reliance on more digital processes and technologies raises the exposure to cybersecurity threats, emphasizing the need for a more strategic approach to cybersecurity risk management.

Securing your organization and data in this environment is especially challenging when the traditional network boundaries are disappearing. Cybersecurity risk management helps you understand your cyber risks and reduce their potential impact.

Here are some best practices to consider.

1. Take a risk-based approach. 

As with any type of risk, it’s not realistic to expect that you can eliminate cyber risk completely. But you can anticipate the threats, plan for them, and reduce risk more effectively. A risk-based approach to cybersecurity risk management is a best practice that helps you prioritize risks based on criteria such as likelihood, exposure, and impact.

In short, cybersecurity risk management, or risk mitigation, is the continuous process of:

• Identifying, analyzing, and evaluating cybersecurity risks and vulnerabilities
• Using assessment tools to prioritize them
• Implementing strategies for mitigating and reducing risks through a variety of controls

The purpose of a cybersecurity risk management plan goes beyond protecting your organization from cyber threats. It serves other objectives, such as:

• Minimizing disruptions and their impact on operations and services
• Ensuring you can maintain business continuity
• Reducing operating losses, repetitional damage, and other adverse effects

Taking a risk-based approach is an iterative process—think of it as a dynamic tool that you’re constantly using to make strategic decisions.

2. Develop a cybersecurity risk management strategy.

A cybersecurity risk management strategy provides a roadmap for your mitigation activities. When creating a cyber risk strategy, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends asking questions such as:

• How could cyber threats impact different areas of your organization, from human resources and supply chain to public relations and operations?
• What type of critical data could be lost of compromised? This may include sensitive customer data, intellectual property, and personally identifiable information (PII), among other categories.
• How can you minimize cyber risks so you can create long-term resiliency?
• What is your organization’s current level of cyber risk?
• How does your cybersecurity risk management plan apply best practices and standards?

Some of the steps for creating a risk management plan include:

• Understand your valuable, critical assets—including data, networks, and computer systems—that cybercriminals may target. These are the assets you’ll need to protect.
• Identify your risks—not only past and current but potential future ones—affecting those assets. These may include insider threats, attacks like ransomware, and so on.
• Prioritize mitigation measures based on risk assessments. This helps allocate resources to the areas that provide the best protection.
• Evaluate your current controls, then identify the gaps to fill. Monitor continuously, because your risks, like your environment, are dynamic and always evolving.
• Document your security goals, policies, and processes and review them regularly.

3. Adopt a cybersecurity risk management framework.

A framework is the vehicle for developing a risk-based approach by honing in on the most critical risks. Although you can develop your own, adopting one of the well-established, common frameworks is the better method for many organizations because these frameworks are built around recognized industry best practices.

These standard frameworks provide a set of processes you can follow to assess your organization’s risks and develop response activities. Three of the common ones include:

National Institute of Standards and Technology (NIST) Risk Management Framework (RFM): As NIST describes it, the RFM “provides a flexible, holistic, and repeatable seven-step process to manage security and privacy risk and links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).” Although the RFM was designed for federal government agencies, any organization, regardless of sector or size, can use the RFM approach for cybersecurity risk management.

NIST Cybersecurity Framework: Developed by NIST in collaboration with the private sector, the NIST Cybersecurity Framework (CSF) complements the RFM. However, many organizations adopt it as their primary vehicle for managing cyber risk.

According to NIST, the CSF is “adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.”

The framework focuses on five core activities:

• Identify—understand the business context and the related risks so you can establish priorities
• Protect—develop the safeguards and controls to ensure you can maintain critical services
• Detect—ensure you can identify cybersecurity events
• Respond—implement the appropriate actions when a cybersecurity event is detected
• Recover—ensure you can restore services and operations and maintain resilience

ISO/IEC 27001: The International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC), has developed this framework specifically for information systems. In addition to providing international standards and best practices for implementing an information security management system, the ISO offers an ISO/IEC 27001 certification program performed by third-party accredited agencies.

4. Don’t stop at compliance.

Meeting regulatory compliance is a priority for organizations across all sectors today, given the broad range of regulations, but even more so for highly regulated industries like financial services and healthcare. A common mistake, however, is to think that compliance equals risk management.

Compliance standards are often the lowest benchmarks for security. They provide a good baseline for minimal requirements. Using them as a starting point, you need to consider best practices— such as those established by NIST, the Center for Internet Security, and other industry leaders—that enable you to defend your assets proactively rather than constantly putting out fires.

5. Implement defense-in-depth.

Cybersecurity practitioners have adapted the concept of defense-in-depth from the military. The idea is to create barriers that impede the adversary’s progress and stop them from achieving their end goal. In cybersecurity, this means implementing detection and response measures to intrusions, especially for advanced, persistent threats.

Some of the mitigation measures that the National Security Agency recommends for defense-in-depth include:

• Automating software updates and upgrades to the extent possible, minimizing the window of opportunity for threat actors to create exploits
• Defending privileges and accounts with tools such as privileged access management (PAM), automated credential management, and access controls
• Implementing multi-factor authentication (MFA), prioritizing accounts that have remote access, elevated privileges, and access to high-value assets
• Creating, reviewing, and exercising a system recovery plan to ensure you have effective data restoration
• Continuously hunting for network intrusions to detect, contain, and eradicate threats in your network

6. Apply metrics to measure effectiveness.

Meaningful and measurable metrics help evaluate how well the cybersecurity risk management activities are performing. Organizations can draw from a variety of key performance indicators that the industry relies on, such as:

• Days to patch: the number of days it takes to patch critical vulnerabilities
• SOC alerts: the number of security alerts received and resolved by the security operations center (SOC) on a weekly or monthly basis
• Mean time to detect (MTTD): the average time it takes the security team to detect a threat
• Meant time to recovery (MTTR): the average time it takes to recover from an incident after it was detected
• Security ratings: scoring provided by third-party cybersecurity scoring platforms

7. Test your incident response and disaster recovery plan.

Plans for incident response, disaster recovery, and business continuity are a common part of cybersecurity risk management. The step that organizations commonly overlook is the practice portion of those plans. In the heat of the moment, the crisis demands all the attention of your response team— and if they haven’t practiced the steps, they’re more likely to become overwhelmed.

Practice drills, tabletop exercises, simulation tests, and other hands-on activities provide your risk management team the opportunity to understand the procedures, resulting in faster response to real incidents and fewer escalations. Implement these practice runs across the entire organization, not only for the IT team.

Managing your risks proactively.

In a digital, dynamic environment, transforming your security from a technology-centric approach to a people-centric one can help you manage risk proactively rather than constantly reacting to new threats. SailPoint protects your business and helps you manage risk by enabling secure access to your valuable assets from anywhere. Learn more about SailPoint’s approach to Identity Security.