We’re about to talk about risk and risk registers, but let’s put them in context for a moment. Do you get your news online? Or from a good old-fashioned newspaper? Maybe you read both. The hard copy to get the weather and the broad view—but the online version if you want to know what’s happening now. Sometimes you don’t need to know the latest. In business, you often do.
Security-related risk is one of the key elements of an organization’s operational risk. So for a security Compliance leader, up-to-date knowledge of their company’s risk posture is essential. Of course, knowing the risks is not enough; unless they are also addressed properly, the company won’t be in a healthy state for long. So let’s get into the meat of this discussion. In brief, a Compliance leader should know:
- What exactly are the organization’s risks?
- How are you addressing them?
- Are your strategies to mitigate risk working?
And in all this, how does a Compliance automation solution help? (Spoiler: It really does.)
Building a Risk Register
Time is tight, information is scant. Risk identification is essential, but where do you start?
Create a Baseline
One possibility: have a lot of conversations with stakeholders throughout your company, and at each level, find out where the relevant risks are clustered. The trouble with all this talk: It involves a lot of people and time.
Better: You can get a solid, faster assessment of your security needs by looking at your Compliance requirements, because most security practices align with requirements for Compliance. So look at risk identification methodologies, such as Secure Controls Framework’s™ (SCF) Security & Privacy Risk Management Model (SP-RMM); Center for Internet Security Risk Assessment Method (CIS RAM); and the NIST Risk Management Framework (NIST RMF), to help you identify risks in your own organization.
Example: Access control. You might find that, in order to conform to the requirements of sections 6.1 and 6.2 of CIS Critical Security Controls v. 8, user access provisioning and de-provisioning procedures should be in place and should be guided by several principles, including least privilege, RBAC, separation of duties, etc. If your organizational procedures are not meeting those principles, risks arise—such as that of a data breach due to a disgruntled employee who did not have their access revoked as part of the offboarding process.
Tailor Risks to Your Business
Frameworks are good for creating a baseline of risks. But the goal in creating a risk register is to reflect the risks that apply to your unique business, in order for you to figure out how to address them. So as your company matures—or sooner—you’ll want to refine your risk register, based on the facts that apply to your business. Here is where those conversations with other teams can uncover issues that you could not otherwise know. See our Risk Management Guide for a more detailed discussion.
You’ve Succeeded in Creating a Risk Register! Now, What do You do With it?
Congratulations. You created a risk register. Now what? You can respond to risk by avoiding, accepting, or transferring risk, but Compliance is most useful when you want to mitigate risk, i.e. reduce risk by using controls. To do that, you’ll map controls to the relevant risks, and that’s easier when you have a Compliance automation solution.
Determining the Controls Needed to Respond to Risk
Many frameworks, such as SCF, map controls to the risks they cover, making it relatively easy to determine the controls that will help respond to specific risks in those cases. For other frameworks, such as NIST RMF, you’ll have to go further to identify risks that are unique to your organization and to determine the appropriate controls. In that case, you might use a framework as a first step, but not the only step.
The work doesn’t end with knowing that you have controls that are relevant to specific risks in your register. To have a better understanding of how each control is impacting the risk at hand, you need a Compliance automation solution that allows you to link the relevant controls to the risk. In managing controls at the framework level (think ISO/IEC 27001, SOC 2, NIST CSF), you are directly impacting the residual risk level of any mapped risks. Without having visibility into this, this relationship is purely theoretical, rather than actionable.
{{banner-image}}
How Effective are Your Controls?
By now, you’ve assessed your risks using frameworks to guide you; with risks identified, you’ve mapped controls to them and implemented those controls with proven strategies to mitigate risk. And you’re done, right? Not quite. Once you’ve invested in controls, you need to show they are effective. And you really need to know if your controls aren’t working optimally so that you can invest in other controls. So how do you know how effective your controls are to assess and mitigate risk?
Justifying Your Investment in Controls
Your Compliance automation solution must provide data to prove that controls are working. Only data proves whether you are successfully implementing ongoing risk management and meeting Compliance frameworks today, not your last audit. So the ideal Compliance solution includes a risk application or dashboard that shows not just the risks with the controls linked (as we mentioned above), but also has data that shows whether and how those controls are working to reduce risk. That’s how you can tell, at any time, based on continuous data, whether your investment in controls is giving you the ROI you’re relying on. The knowledge that comes from continuously monitoring risk and controls is essential because it lets you course-correct more quickly if the data shows that controls aren’t effective. It also lets you give leadership up-to-date information for informed decision-making on investments in risk reduction.
That’s why risk and Compliance automation tools are increasingly used in order to provide continuous, real-time, data-based evidence that controls are working and are therefore actually mitigating risk.
Let’s Look at a Working Control
Example: Using NIST Cybersecurity Framework (NIST CSF) to understand security Compliance posture. One of the controls in NIST CSF is Anomalies and Events Detection (DE.AE-2), which requires that events from critical security tools are logged and alerts are triggered and analyzed. This data, collected from tools such as AWS CloudWatch, PagerDuty, and Lacework, would confirm that a control is working effectively by indicating, for example, an excessive number of failed authentication attempts. Because we have mapped the control (DE.AE-2) to the risk, users are able to determine the residual risk because of how effective the control is. If the data is favorable, the control is good, and we’ve gone from theoretically knowing that a given control will assess and mitigate risk to having proof that risk is actually lower.
An organization that assumes it is safe because it implemented a control may be unknowingly facing as great a risk as if it had not implemented the control at all. A Compliance solution that gives us data to prove a control is working towards mitigating risk is the only way we can know that our investment in controls actually makes our organization more secure.
No News is…No News
As a Compliance leader, you can’t assume that no news is good news, because you have to be alert to your company’s risk posture at all times. It all starts with risk identification: using frameworks is the first of the steps in creating a risk register, then you can work towards making the risk register more relatable to your organization through conversations with relevant stakeholders. Compliance frameworks help you relate controls to those identified risks. Finally, your system of Compliance, and particularly Compliance automation in risk management, provide real-time data for defining the quality of the controls you’ve implemented, so you can know the extent of risk mitigation you’ve achieved for your organization.
Anecdotes, leaders in Compliance OS, can identify, assess and mitigate your business risks with stellar efficiency. Maximizing your risk register, our Compliance automation enables your business to risk big, where it counts most. Book a demo to see how the only data-powered automation and management platform, designed for scale, can benefit you.
So here’s the latest: Positive, reliable data means controls are good, which means risk is lowered. Now that’s good news.