Step Five – What’s The Worst That Can Happen? (Defining Organizational Risks)

This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.

Your cybersecurity strategy must clearly articulate the risks the organization faces and the possible consequences.

We’re at a pivotal part of the development process for creating a winning cybersecurity strategy! We have by now collected the foundational information and intelligence required to determine what shape the strategy must take. To recap, we have:

  • Collected the data relevant to what you organization is all about: Who Are You?
  • Determined the current state of your organization’s cybersecurity capabilities: Where Are You?
  • Researched the current and projected threats and trends relevant to your organization: Who Goes There?
  • Established the organization’s primary goals, objectives, and drivers: What’s in It for Me?

This is the point where we amalgamate this gathered data and intelligence to analyze it. The intent is to determine and define the risks facing the organization that we must primarily be concerned with. Everything collected up to this point should be enough to allow you to form a clear picture of the risks facing your organization.

Side Note:

At this point, don’t be too focused on what you’re going to do about those risks. You first want to state them. The statement itself, however, will usually provide you with a pretty clear picture of what you need to subsequently do.

A few people may say:

“What’s the point of outlining the risks? Isn’t that already clear from the gaps outlined in the current state assessment and from the threat research?”

There may be some folks with that position. But they have to remember two key points:

  1. Cybersecurity is, ultimately, about managing risk. It’s not enough to understand the gaps and possible threats we face now and in the future. It’s the risks these elements present to the organization. And those two aren’t the only sources of risk; they’re just very important components.
  2. Somebody has to pay for the Cybersecurity Strategy. Will key decision makers care enough about gaps in the current cybersecurity posture and some potential threats enough to approve a pricey budget to deal with them? Remember we need to make sure we are connecting what we have learned to what is important to the key decision makers and, by extension, the rest of the organization.

Side Note:

It goes without saying that any risks you outline here are with the full understanding of what the organization’s Enterprise Risk Management (ERM) function is already looking at. They are typically a key decision maker in most scenarios anyway. However, as we all know, ERM’s focus is broader than cybersecurity. So, our intent here is to focus on those organizational risks that have a connection with cybersecurity.

With that in mind, here are a couple of things to think about:

Remember Who’s Risks They Are

When you are working out the risks to the organization, articulate the risks in a manner that demonstrates their impact to the organization, not to cybersecurity. You’re not addressing cybersecurity risks when you’re presenting to the key decision makers, you’re addressing their risks.

Side Note:

How we address those risks (more on that in a later blog post) will of course be articulated from the cybersecurity perspective. But there must be a clear connection between the risks facing the organization (and the key decision makers in particular) and the subsequent actions cybersecurity will take as a result.

When determining the organizational risks, you will have to make sure you are drawing on everything you learned in the first four steps, bring them all together and frame them from the business perspective as opposed to a cybersecurity perspective. Here is an – admittedly high-level – example:

  1. From “Who Are You?”, you have determined the following: The organization is a state agency that has a mandate to provide effective services to the citizenry in as short a time as possible. The agency’s priority for the next two years is to launch an automated service utilizing new Cloud technologies to reduce the amount of time citizens have to wait to receive a response and receive their requested service.
  2. From “Where Are You?”, you have determined the following: An assessment of the organization’s current cybersecurity state reveals that the information security function has a security architecture that is purely on-premises focused and they have no capabilities to secure a Cloud-based environment (or associated applications) at this time.
  3. From “Who Goes There?”, you have determined the following: An analysis of current and projected threats indicates that there are numerous current threat vectors that would target this type of service and could potentially compromise the application and its data (with potentially sensitive information such as Personally Identifiable Information – PII) with ease.
  4. From “What’s in It For Me?”, you have determined the following: Key decision makers have stated that the launching of this service is an imperative and will be key to improving the agency’s reputation as it is currently seen as behind the time and notoriously slow to adapt.

From this intelligence, we can define the following sample risk description/consequence:

Risk: Inability to support and secure Digital Business Transformation Initiatives
Description: The current information security function lacks the capability to support our organization’s digital transformation goals. Without the ability to secure the planned digital workload and environment, there is a high risk of compromise and data loss or theft. This would result in serious reputational damage to the agency and exposure to potential legal action. Failure to move forward with the digital transformation initiatives however will present to the public the perception that we are not modernizing or adapting with the times.

In this manner, you can determine and state risks to the organization that will allow the key decision makers and stakeholders to establish a connection with what is important to them and what you are trying to address – for the organization.

Don’t Go Behind the Curtain

Finally, it needs to be established that you should not determine the risks in isolation. It’s important to retain your hold on the concept of open communications and collaboration during the definition of organizational risks. You are working to formulate the risks in a manner that articulates the risks to the business in a language that connects the key decision makers to them. It’s therefore important to maintain that connection and present the risks as you define them to the key decision makers and stakeholders for their feedback and impressions.  Much like with business drivers, goals, and objectives, having their input and involving them in this process will only increase their buy-in and sense of ownership over the resulting cybersecurity strategy.

Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Six – Dare to Dream (Envisioning the Future State and Articulating the Vision).

Special thanks to Karel Beukes for their contributions to this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: