- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Risk management as instrument in boosting resilience
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Risk management as instrument in boosting resilience
Risks require constant attention
Both the interests of organisations and those of attackers are subject to change. This means a clear picture of the shifting threat landscape and constant attention to risks is essential. After all, resilience is the ability to reduce relevant cyber risks to an acceptable level.
A baseline is not enough
Given the increasing complexity and digitisation of processes, the intertwining of organisations and sectors, as well as a growing threat, implementing basic measures is important, but not sufficient. In addition, better tools are needed to anticipate sophisticated attackers and more complex problems. Organisations and sectors that appear to be more resilient than their counterparts not only invest in basic measures, they also take a critical look at the greatest risks. Security specialists, supervisors and legislators therefore emphasise the importance of risk management as the instrument for actually increasing resilience in practice. Unfortunately, many organisations still see risk management as a lengthy and costly process, rather than something to be tackled periodically.
It is more than just risk analysis
In recent years, awareness of risk management standards seems to have increased. The translation of these general frameworks into sector-specific implementations has also been further developed. Some of the key activities for managing risks are: identification of relevant risks, prevention by implementing measures, detection of repulsed and successful attacks, mitigation of the impact of a successful attack, and repair to restore full operation of a process. Communication with stakeholders, including feedback to management, plays an important role in evaluating the effectiveness of the process. In addition to the aforementioned activities, overarching aspects are increasingly evident in a broader view of risk management. Regulation from the market and government - such as insurance, certification and liability - plays an increasingly important role. This also applies to governance, realistic testing, situational awareness and learning from mistakes. These different facets of risk management should reinforce each other: risk management is a continuous process with the aim of ensuring that risks are clearly and unambiguously identified and actually reduced.
‘Prevention and cure’ as an adage
It must be accepted that there is no such thing as airtight security and that there will always be successful attacks. This does not mean that digital dyke reinforcement is of no use. Such activities can indeed help to parry attacks and reduce the impact of successful attacks. Detecting attackers at an early stage and responding quickly, can limit the damage. At the other end of the spectrum, the 'security by design' and 'privacy by design' mentality can also be used. The earlier security issues are included in the development process of a process, system or service, the cheaper and/or the more impactful the measures taken will normally be. The challenge is to find the right balance in this playing field so that risks can be addressed at an acceptable cost, both in terms of money and in terms of balancing other interests such as freedom, accessibility and progress. The 'usable security' field shows that interests do not have to be mutually exclusive. If problems are identified in good time in consultation with end users, there is a good chance that an appropriate trade-off can be made.
Basic principles can be applied widely
Although the establishment of a comprehensive risk management system in a large organisation may take several years, the underlying principles are also relevant for smaller organisations. After all, risk management can be implemented in many different ways.
Resilience is a team effort
Risk management can be seen as a team affair from technical experts to the business. Management of cyber risks should be done in consultation with the business, involving parties such as business continuity managers, risk managers, process owners and domain experts. Examples of where this has not happened show that basic problems can otherwise fall between two stools. Furthermore, in addition to the importance of good cooperation between disciplines, cooperation between the different layers of an organisation is essential. The exploration and management of strategic, tactical and operational risks should be well coordinated.
Scenarios provoke thought
Risk often remain abstract, hence it may be useful to translate them into scenarios. This kind of scenario- driven way of working makes things tangible, and it makes it easier to build bridges between different disciplines. A workshop to introduce people to scenarios could start with everyday examples, such as ways of breaking into a house. Based on these relatively simple scenarios, more complex examples can be given, such as scenarios involving cybercrime. In a next step, even the perspectives of different disciplines could be added. Apart from being used for risk identification, these scenarios can also be used during the other stages of the risk management cycle. They can be used, for example, in process audits, system testing and incident response exercises.
Money and uptime are universal benchmarks
In order to be able to compare different scenarios, it is important to agree on a common interpretation of the concept of risk and to use the same indicators for multiple risk analyses. This allows risks to be compared in an informed way. An example of a set of indicators that is fairly universal is money (or financial impact) and continuity (or availability). By also using these indicators for other types of risks, cyber risks can be put on the same footing as, for example, operational risks. In this way, the crown jewels of an organisation can be identified by looking at what has the most impact on revenue and business continuity. Unfortunately, however, there are also organisations that carry out risk analyses that leave something to be desired: risks are often vaguely and sweepingly described, so that they cannot be adequately explained. Security is then quickly seen as a cost item instead of an integral part of business operations.
Testing exposes problems
A pitfall with regard to risk management and cybersecurity is to have everything perfectly in place on paper but dropping the ball in practice. It is therefore important to actually test processes and systems as they run on the shop floor and in the field. Testing can be done in many different ways, when choosing the scope and the type of test, it is important to also adopt a risk-based approach. In a more general sense, the test plan should be linked to the broader risk management cycle. The effectiveness of measures needs special attention. Monitoring whether measures have the intended effect can reveal whether the costs outweigh the benefits. In addition to the experiences of experts, insights from (academic) research can also be taken into account.
Learning from and with each other
A risk will not normally materialise in all case. This can make it difficult to see relevant risks and the effectiveness of measures. To deal with this, it is wise to talk to other organisations. Knowledge and experience can be exchanged within the framework of ISACs (Information Sharing and Analysis Centres), with the chain partners of a critical process, and in other partnerships. In addition to exchanging knowledge, cooperation can also include joint exercises to test and improve response capacity. This helps to find each other quickly and anticipate each other’s needs when the need is great and there is no time for extensive consultation. The underlying idea in all of this is not to compete in the area of security, but rather to cooperate.
The ball is in the directors’ court
Risk management without buy-in from the directors will most likely fail: CISOs who try to manage security on their own sooner or later discover that the organisation does not feel ownership of the problem. It is essential that directors are closely involved in risk management. They are responsible for identifying the strategic interests within an organisation and for (mandating) the acceptance of residual risks
Risk visibility and control is necessary
Public administrators and leaders of organisations are ultimately responsible for dealing adequately with cyber risks. Strategic as well as tactical and operational risks can be secured by means of targeted control and progress monitoring. Clear reporting lines should be set up for this purpose. CISOs should report directly to the board and independent internal and external audits are also important. This requires monitoring bodies having a keen eye for pertinent interests, threats and measures. Insight into the information that is processed within digital processes is a crucial factor. Organisations themselves do not always have a view of their own resilience, and the absence of an organisational structure that maintains a grip on information also plays a role. Within the tactical layer, information owners can be appointed who bear responsibility, are given the means to do so, and are held accountable by directors for fulfilling this responsibility.
Investing in people is the foundation
Risk management is a specialism. This is why public administrators and leaders of organisations - and people who have the day-to-day responsibility for digital processes and the associated risks - cannot be expected to be experts in this field. Instead, they should ensure that they have put the right people in the right place by investing in new recruits and in training current staff. This requires a structured personnel policy, as well as a training programme anchored in the organisation. In addition to the experts in the field of cybersecurity risk management, the rest of the organisation must also have a minimum knowledge base to be able to properly discuss important risks to the organisation and how to deal with them.
The Government also has a role
What is true for the leaders of organisations is also true for the public administrators of countries. To cope with digital risks, it is important to identify and address them in a systematic way. At the national level, these include structural problems such as growing dependence on foreign software and hardware manufacturers and service providers. Problems such as the diminishing diversity of technological solutions and suppliers may also pose a systemic risk. Furthermore, the Government has a role in addressing market failures and other collective action problems, including the issue of risk management in chains of parties that do not share the same interests and where transparency is lacking.