Insights

How Can Your CISO Benefit from Quantitative Risk Scoring?

Quantitative Risk Scoring 1.jpg

Research has found that Chief Information Security Officers (CISO) spend over 75% of their time simply trying to protect their assets rather than acting strategically to manage risk in the environment.  So, what can be done to flip the script for security organizations to help them focus less on the tactics of security and more on strategy? 

The average CISO uses countless data points to drive the risk management process.  But how many can filter out the noise and see their risk landscape holistically to make risk-based and strategic decisions?

One way to change the focus and reduce the noise is to use a quantitative risk scoring methodology to quickly and accurately analyze risks and determine the most vulnerable parts the organization. Quantitative risk scoring provides a model by which organizations can assign baselined risk scores to issues and then compare them by using a standardized methodology. From there, the risk scores can be built into the organization’s overall risk and compliance program to drive decision making. When building out a risk scoring model there are four primary factors to consider:

Data Sources and Layering

Integrating various sources of risk information, technical and non-technical, provides a level of analysis that isn’t possible with any single risk source. For example, using previous risk management models, patch deployment status may have been reviewed to determine where the IT team should focus its efforts in deploying this month’s patches. Under that system, however, there is not a method by which the IT team can perform patch management using a risk-based approach. Using quantitative risk analysis, the IT team could overlay a map of the organization’s high value assets, external facing systems and patch status to determine the systems that present the greatest risk to the organization if left unpatched and vulnerable.

Business and Technical Factors

Quantitative risk scoring is not necessarily a one size fits all solution. A risk scoring program should be flexible in taking into account the distinct attributes of the organization. The risk scoring model should take into consideration:

Business Factors                                                                            

  • Regulatory and compliance requirements
  • Previous findings or issues
  • Third party vendors
  • Organizational strategy
  • Common control providers (i.e., SunGard, AWS, ADP)
  • User population
  • Operating systems
  • Cloud presence

 

Technical Factors

  • Regulatory and compliance requirements
  • Previous findings or issues
  • Third party vendors
  • Organizational strategy
  • Common control providers (i.e., SunGard, AWS, ADP)
  • User population
  • Operating systems
  • Cloud presence

 

Strategic Priorities

Key to any quantitative risk scoring methodology is the flexibility to afford leadership with some level of customization based on the priorities of the organization. For example, healthcare organizations may want to place a priority on any asset or risk that relates directly to patient data. An organization that is under heavy scrutiny from their auditors may want to focus on audit findings before internally identified issues. An intellectual property attorney, who deals heavily in highly sensitive or classified information, may want to prioritize risks related to external threat or data exfiltration issues. Allowing for the selection of high priority risk factors, even independent of the data, will increase the value and effectiveness of the methodology and increase the visibility to executive level leaders as they make enterprise wide risk decisions.

Risk Appetite

There is an increasing desire to automate everything possible, but the human element remains extremely important to risk management. While a strictly quantitative model provides validated data by which decisions can be made with a certain level of assurance, it is important that leadership be granted leeway to accept risk in cases of strategic or tactical importance.

Having the tools in place to simply identify risks is not enough in today’s ever-changing security landscape. CISOs and security teams need to be able to quickly analyze, rank and act on vulnerabilities in real time to focus less on “fighting fires” and more on building a security organization ready to tackle the enterprise’s top priorities. Implementing a methodology that can quantify risk in a digestible format will reduce the noise present in a risk management system and focus efforts on those issues that are most impactful to the organization.

 

Learn More on How to Strategically Manage Risk

 

Are you on board the Part 504 train?
Building an Analytical Business Case for an ERP System
Related Posts
Choosing a GRC Solution That’s ‘Just Right’
Choosing a GRC Solution That’s ‘Just Right’
Why non-public companies need a strong internal control environment
Why non-public companies need a strong internal control environment
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation

Comment