What Is Risk?
Part 1: Risk and Security in Modern Systems
“Risk “is a term gaining real traction in any industry where cybersecurity regulations impact businesses. Many frameworks and regulations are turning to risk management as a proactive and comprehensive approach to security management. This shift can mean big changes for enterprises that aren’t generally considering risk as part of their security profile.
This article is the first in a series of articles related to risk management as a challenge for modern businesses. Throughout this series, we will cover several topics related to risk management in modern business:
- Why is risk management becoming the focus of cybersecurity?
- Is abstract risk management detrimental to companies that would benefit from clearly-defined standards?
- How does risk management apply to both enterprise and small businesses alike?
- Is there a way to implement risk management with a standards-first approach?
- Are their platforms, visualization tools, etc., that can change how we look at risk management?
What Is Cybersecurity Risk?
Risk is the potential of data loss, security breach or systems exposure related to security vulnerabilities and cyber attacks.
Risk isn’t an all-encompassing discipline–in fact, modern cybersecurity wasn’t a real “thing” in the field until the later 1970s and 1980s, when networked computing entered the scene. While early instances of computer worms and viruses were academic in nature, developed by data scientists on the earliest networked computers, the evolution of connected devices in the 1980s led to the emergence of cybersecurity as a real pursuit for researchers and military users.
The explosion of the Internet as a widespread technology led to the simultaneous explosion of security threats and mitigation efforts. Network computers introduced a host of security issues, and the increased use of these networked computers only exacerbated that fact.
Now, in a world of mobile devices, always-on connections and managed services, nearly any combination of vectors can threaten an organization’s security infrastructure.
Some of the most common forms of risk facing digital infrastructure include the following threats:
- Phishing: Attackers utilize communication technology like email, SMS messaging or video chat software to convince individuals to provide access to a digital system. This is perhaps one of the most prevalent and hard-to-address threats today due to its targeting of end-users.
- Malware (AKA Computer Viruses): Malicious software injected into a computer system to destroy or steal information or destabilize a given system. Once a system is infected with malware, the potential for an attacker to accomplish nearly anything they want with that system is nearly limitless.
- Identity and Access Attacks: These attacks seek to bypass otherwise secure identity and access management (IAM) systems to access system resources. Some IAM attacks are connected with other forms of hacking (malware, phishing), while others are unique (brute force or dictionary attacks).
- Distributed Denial of Service (DDoS): A network of computers or programs will send internet requests to a server or resource, likely a website, to flood it with data that will reduce its performance or completely shut down its capacity to operate. These attacks are often used to bring down websites or other network resources so that no one can access them.
- SQL Injection: Hackers can use insider knowledge of database structure or vulnerabilities to inject SQL code into otherwise-unassuming user input fields, like a login name or search field. The code can trigger backend database actions like dumpling all records into a browser window or deleting the database entirely.
Several overlapping threats can leverage multiple attack vectors at the same time. For example, malware is a significant entry point for ransomware or man-in-the-middle attacks. Still, malware is most often introduced into a system due to a successful phishing attack.
The increasingly complex networks of devices and users that fuel business and government work are pushing risk to the forefront of these cybersecurity concerns because, by and large, it’s impossible to eliminate these threats as line items of a checklist.
What Is Risk Management?
Identifying risk as an organizational priority calls for a systematic approach to assessing its presence in a given infrastructure. Risk management is a process that supports identifying and controlling potential risks in a system.
The most critical aspect of risk management is that it isn’t about eliminating risk… because risk is impossible to eliminate completely. Instead, risk management approaches assessing risk as one of understanding the workings of a system top to bottom, making inventories of security risks based on modern threats and current IT implementations and measuring those risks against different organizational priorities.
At this juncture, it’s essential to differentiate between security risk and financial risk. In financial industries like banking and corporate finance, risk is associated with investments. Risk will only refer to security and unauthorized resource access risks in compliance and security. In some areas, like SOX compliance, where risk applies to both finance and the security around finance reporting.
In the broadest sense, risk management in cybersecurity will fall into very broad operational stages:
- Identifying Risk: The first step of risk management is determining risk. This can be a matter of measuring gaps between given security controls and existing vulnerabilities or compliance requirements or quantifying processes around training, upgrading, administration control or other intangibles that still have a huge impact on security.
- Assessing Risk: At this point, security and risk management officers will measure that risk against existing demands to determine whether that risk is acceptable. In many cases, security risk isn’t an all-or-nothing proposal, and organizational leaders will need to determine which risks are acceptable and which are not.
- Controlling Risk: Literally, policies, procedures, and controls are implemented to address risk. This can include installing security measures or deploying encryption modules, executing new data governance policies or creating further training and education processes.
- Reviewing Risk Controls: Risk management is an ongoing process, and a proper risk management program will continuously monitor and review controls to measure them against new requirements and threats.
Why Are Organizations Turning to Risk Management?
Risk management isn’t new, but it is quickly becoming the standard by which major security frameworks are driving to. That’s because risk calls for processes above and beyond checklist security implementation.
This isn’t a criticism of cybersecurity or compliance, but it is a recognition of the industry’s evolving landscape. There are several benefits to having clear, standards-based regulations when it comes to cybersecurity. They are easy to follow, create a floor for acceptable infrastructure, and provide a common language for compliance across multiple enterprises.
What they don’t do, however, is help businesses understand why they implement a control, nor do they help promote a clear articulation of why particular controls are part of a security requirement.
As the thinking goes, risk management helps a business see their entire system from the viewpoint of comprehensive security. While risk management is quickly becoming part of most major compliance frameworks and regulations, there is still a live question on how risk empowers explicitly organizations to take control of their cybersecurity.
Risk Management and Cybersecurity With Lazarus Alliance
We’ve come to a crossroads in terms of risk management… it’s clearly beneficial, but businesses large and small are struggling to understand how to usefully implement risk management as part of their overall IT operations.
In the next post of this series, we will address the elephant in the room: what it means to connect risk management as an abstract pursuit with the realities of regulations that don’t seem abstract.
Is Your Organization Moving to Risk Management?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.