Risk remediation and identification is one of those concentrations within cybersecurity that tends to create some anxiety among cybersecurity professionals—it is hard to explain to someone not in the IT security world what they should and should not be concerned about. Risk identification (through risk assessments or other avenues), risk scoring, risk tracking and remediation for many organizations can seem like an insurmountable task. Many organizations don’t even know where to begin, much less how to operationalize and communicate cybersecurity risks holistically. A successful risk management program requires a strong foundation with these three pillars: cohesive strategy, framework mapping & adoption and ownership and accountability. Once these three pillars are in place it comes down to execution and project management skills. Once these pillars are built, you can continue to build more complex structures on top of your robust risk management program. Remember, Rome wasn’t built in a day.
Strategy
Strategy is the first step and is often the hardest, especially if your organization is new to the cyber risk management space. It should be short, use words in common language and be easily understood by all. Ideally, the strategy should be driven from the board down, but that is not always the case, and depending on the maturity of your programs. Your security and risk management strategy should be driven by the organization’s goals and what threats are the greatest concerns for your board and leadership. Once that is complete you can identify what controls and implementations you should focus on given the threats and goals of your organization. From there you need to define the key performance indicators and measures of success—these are not a bunch of project plans, but a 10,000-foot view on how and when you intend to achieve ..
Support the originator by clicking the read the rest link below.
