Getting buy-in to combat risk

When I start at a new company, I make a point of meeting with key personnel from the departments that have the greatest potential for security risk, including operations, engineering, customer service, IT, finance, facilities and human resources. It’s a good way to unearth risks that might not be obvious to me and to get all of those people thinking in terms of security.

Trouble Ticket

At issue: It isn’t always easy for a security manager to recognize all the risks a company faces.

Action plan: Start a risk council to bring in more information, and hope that its members will partner with you in obtaining the resources you need to respond to the biggest risks.

Unfortunately, the impetus for these discussions dissipates after a time as the participants get caught up in their own day-to-day priorities. Eventually, our meetings cease entirely. But such meetings can still be valuable, even though I have now been at this company for two and a half years. That’s why I have decided to implement a formal risk management program.

The idea is to get those department folks into a room on a regular basis so that we can identify and prioritize the company’s most serious risks, and then agree on plans for mitigating them. I am calling this my risk council. We will meet on a monthly basis until we are grounded in our mission and direction, and then we’ll meet quarterly.

Several risk management frameworks are available to assist us in identifying risks and priorities. Two that are highly regarded by security and compliance professionals are the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), which provides a framework with associated guidance on how organizations can protect themselves, and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), which was developed by the CERT Division of the Software Engineering Institute to help organizations identify and assess security needs.

It’s wise to use such recognizable standards. For example, when large customers or prospects send you security questionnaires, they are reassured when you can state that you use either CSF or OCTAVE as your guidance for risk management.

I have focused mostly on the NIST CSF but am also referencing OCTAVE and have taken what I consider the best features from each. For example, the NIST CSF contains a very comprehensive spreadsheet (there’s also an application containing the same information) that I have found useful in identifying less obvious security risks and controls. OCTAVE provides guidance on risk measurement criteria, asset profiling and analyzing the risks associated with various assets.