Embarking on a risk-based approach in cyber security is a significant undertaking. However, at CRMG we believe it is the right approach in order to effectively protect your organisation’s critical assets, and as a result, your brand and reputation. We have a team with many years’ experience in cyber risk, and so we have produced a high-level list of recommendations to any organisation starting on this journey.
Identify your critical assets. A Business Impact Assessment is a useful tool to help establish an objective and business driven approach to classifying your “crown jewel” assets.
Review methodologies and frameworks that will work for your organisation. There are many complex and ‘powerful’ approaches to assessing cyber risk, but they may not all be easy to translate within your business. Start off with a “lite” approach first and build up from there on.
It won’t be long till you out grow excel sheets and it will be time for you to conduct trend analysis, automation of risk assessments and reporting to a wide variety of key personnel, and this is where an industry strength GRC product becomes key.
You need to present why a cyber risk approach is key in today’s world. Greater dependency on technology, greater exposure to attack and irrecoverable impact from a breach.
Plan this as a project. Build in awareness and training. Nominate a cyber risk manager to spend their time on conducting a series of pilot assessments before embarking on an enterprise roll out
The outputs from the risk assessments MUST be used to support other security-based decisions – what messages are needed for the awareness campaigns? what budget should be determined for next year.
Your clients will understand the value of a risk-based approach, so package an executive overview for them. Such an approach will build assurance and confidence if handling their data.
In summary, without knowing what ‘good’ looks like or where to start, organisations cannot reap the benefits of a risk-based approach – becoming more proactive rather than reactive; having a comprehensive view of risk to better direct budget; be able to fill gaps in cyber security programmes to become more robust – and generally saving time, money and the headache of a data breach.
In our Cyber Risk Assessment masterclass, we share a phased approach that can be applied to your business and what ‘good’ looks like. Watch the masterclass on-demand here.
Co-Founder & Director