Risk management in security: protecting critical assets and resources

Failing to implement appropriate security measures can increase the organisational risk of cyberattacks and system vulnerabilities. Critical assets, systems and sensitive data – from personally identifiable information (PII) to credit card details to business files – is at risk of becoming public, compromising not only businesses but their employees, partners, suppliers, customers and other stakeholders.

With so much at stake, business leaders must take proactive steps to protect their systems and IT infrastructure from threat actors. According to the UK government’s most recent Cyber Security Breaches Survey, a larger proportion of businesses are readily prioritising cybersecurity risk management and risk assessment:

• 51% of medium businesses and 63% of large businesses have undertaken cybersecurity risk assessments in the last year
• 53% of medium businesses and 72% of large businesses have deployed security monitoring tools
• 63% of medium businesses and 55% of large businesses are insured against cybersecurity risks
• 27% of medium businesses and 55% of large businesses review the risks posed by their immediate supply chain.

Threats range from the commonplace to the highly sophisticated – and, regardless of their specific aim or target, they’re constantly evolving. As such, cybersecurity specialists with the skills to increase organisational cyber resilience are in great demand – and it’s the ideal time to get involved.

What is risk management in security?

Security risk management (SRM) is the continuous process and practice undertaken by businesses to identify, measure and mitigate cybersecurity risks that can result in loss of information security. Potential risks – their severity, probability and cost – must all be taken into account for a business to formulate an informed risk management strategy.

SRM is essential if businesses are to remain competitive and safeguard against:

• loss of sensitive information
• financial damage
• reputational damage
• loss of productivity and business continuity
• breaches of compliance.

What are the main components of risk management?

Understanding a business’ risk management security needs will enable leaders, in partnership with cyber experts, to engage in informed decision-making regarding security requirements.

A holistic risk management process and framework should include several key components:

• Risk identification. As a highly critical first step, cyber professionals must develop a comprehensive list of any potential threats and security risks to the business and its projects and activities. Threats can be broad in scope, for example a hacker disrupting business operations, natural disasters, or internal cyber threats. Only by identifying, documenting and understanding the nature of potential risks can cyber professionals begin to plan for them.
• Risk measurement and assessment. All risks must be thoroughly evaluated and quantified so that cyber teams can better understand their nature, scale and severity. The risk analysis measurement process involves assigning numerical scores to risks – using metrics such as likelihood and potential impact, collecting data on previous security incidents and threat intelligence, assessing risk exposure and risk appetite, and using relevant risk models/algorithms to accurately define risk scores. As part of the risk assessment process, it’s important to establish which critical assets and resources need protection – for example, intellectual property (IP), employees and sensitive data – alongside conducting threat analysis and identifying potential weaknesses and vulnerabilities. A variety of tools are available to support and structure this work, such as the HIPAA risk assessment template.
• Risk mitigation. While business activities will always carry an element of risk, leaders can prepare for them. A solid risk mitigation strategy details the security measures and actions that aim to eradicate or minimise the impact of any potential threats, reinforcing organisational cyber resilience. Mitigation work includes identifying security controls and measures to address the specific risks, which usually spans security policies and procedures, technologies and training. A variety of safeguards can be implemented – anything from suspicious activity and breach detection and firewalls to robust access control measures and encryption. Cyber teams will also need to plan continuous monitoring and penetration testing, engage in incident response planning, and consider risk acceptance and risk transfer options.
• Risk reporting. Information concerning risks should be clearly communicated to relevant parties in a clear, concise and timely manner. As well as ensuring accountability and transparency, it’s essential to evidence-based, informed decision-making and establishing a risk-aware organisational culture. Businesses take different approaches to reporting depending on their needs; for example, aspects such as frequency and format, and key risk indicators (KRIs) and risk metrics, may vary. All reporting should drive ongoing risk management optimisation and established actionable insights.
• Risk governance. Risk governance is concerned with the appropriate frameworks, practices and processes that support wider approaches to risk management. It may involve risk management committees, risk procedures and policies, regulation and compliance, and risk ownership.

Enterprise risk management (ERM) should always be viewed as an ongoing, proactive process if businesses are to stay ahead of cyber threats and continue to prevent unauthorised access to systems and data. Various elements of a risk management plan will need to be reassessed and updated in light of changing needs and developments.

What information system security controls should businesses have in place?

Fortunately, there are numerous tactics and technologies that providers can embrace to combat malicious cyber activity and other threats.

Common security controls include:

• cybersecurity training provision
• anti-virus software
• access control
• monitoring network devices
• threat detection automation
• ongoing vulnerability testing
• routine upgrades and patching
• data encryption
• cloud and system configuration
• virtual private networks (VPNs)
• data back-up
• password updates and multi-factor authentication.

Underpinning this is the requirement to have the right people in place to safeguard security systems. IT and cybersecurity professionals play a critical role in the frontline defence or an organisation’s systems and assets, and have the skills and knowledge to ensure risk management is robust, proactive, and tailored to the needs and contexts of the business.

Excel as a capable, creative cybersecurity professional

Gain the skills to uphold the highest standards of information security management with the University of Sunderland’s online MSc Computer Science with Cybersecurity programme.

Designed for individuals without a computer science background, our flexible course equips you with essential skills and knowledge for an exciting career in the computer science and information security sector. As well as information technology fundamentals – including databases, software engineering, networks and usability – you’ll explore the specialist field of cyber and IT security. Learn how to protect businesses of all types from cyberthreats, as you learn how to increase cyber resilience and understand risks, threats, vulnerabilities and attack vectors. Plus, you’ll learn in-demand programming languages such as Python, R, CISCO and Oracle.