IT risk management is an essential element of the work of CIOs/CISOs. As the SANS Institute describes it, risk is the potential harm that may arise from some current process or from some future event.
“From the IT security perspective,” it goes on, “risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system.”
But a recent column by Adam Meyer, chief security strategist at SurfWatch Labs, suggests IT risk management should also a part of threat intelligence program and not a separate task from other work. In fact, he argues it should be called Digital Risk Monitoring and suggests it be fitted into a flow chart to better improve your thinking.
What questions need answering? Here’s a few: What’s the impact of a cyber threat on your brand and reputation? What risks are the third parties with whom you conduct business providing to adversaries as an opening into your organization? What risks to your organization are associated by employee use of IoT devices?
Having thought of these and other risks, put them in a chart to better visualize the risks. For example, unauthorized access can lead to 1)data leakage and 2) data theft. Employee digital risk vectors include 1)social engineering, 2) identity and access management and 3) insider risk. You’ll see a more detailed chart at his full column here.
“By including digital risk monitoring as part of your threat intelligence capability,” he writes, “you can better understand your most critical areas of risk and the possible avenues of approach for adversaries, how actor capabilities align with the opportunities you’re giving them and how to stay ahead of them.”
Meyer emphasizes that this process identifies IT as well as business risk.
“Understanding your digital risk is a key ingredient to the mix when crafting or adding to a threat intelligence program,” he argues. However, many organizations separate the evaluation of risk from threat intelligence.
Collecting data on risks is no different from collecting data on threats, Meyer believes. As threats get more sophisticated tt’s time at least for CIOs and CISOs to consider this approach.