Information Risk Management Still Needs Improvement | e-Social + AI DL IoT | Scoop.it
From securityscorecard.com - February 27, 2019 5:34 AM

Cybersecurity threats and attacks across various business sectors are on the rise pressuring for organizations to continuously assess the risks to any information. While the General Data Protection Regulation (GDPR) has garnered a lot of buzz in 2018, many standards and regulations in the United States also require cybersecurity.

 

But what are the technical details and operational steps needed to meet the high level guidance on cybersecurity risk? A recent Advisen survey revealed some interesting statistics:

 

  • 35% of respondents rated data integrity risks as “high risk” versus only 22% that of rated business continuity risks, or cyber related business interruption
  • Only 60% of the risk professionals surveyed said their executive management team viewed cyber risk as a significant threat to the organization, down 23% from the previous year.
  • Only 53% knew of any updates or changes even after the 2017 high profile attack

 

In short, these statistics paint a grim picture over the state of cybersecurity in the United States. While organizations are aware of the high risk of cyber attacks, management team involvement may be decreasing, and organizations may not be evolving their cybersecurity programs quickly enough.

 

Creating a Security First Risk Mitigation Posture
Many organizations have moved to a risk analysis security first compliance posture to enable stronger risk mitigation strategies and incorporate senior management oversight. However, identifying the potential risks to your environment only acts as the first step to understanding your overall risk. In order to identify all potential risks and engage in a full risk analysis that appropriately assesses the overall risk facing your data, you need to incorporate vendor risk as part of your risk management process.

 

That’s a lot of risk discussion, but you also have a lot of places in your overarching ecosystem that create vulnerabilities. Using a risk management process that establishes a security-first approach to your organization’s data environment and ecosystem means that you’re locking down potential weaknesses first and then backtracking to ensure you’ve aligned controls to standards and regulations. This approach, although it seems backward from a traditional compliance point-of-view, functions as a stronger risk mitigation program by continuously monitoring your data protection to stay ahead of hackers. Standards and regulations mean well, but as malicious attacks increasingly become sophisticated the best practices within these documents may be outdated in a single moment.

 

What is an Information Risk Management (IRM) Program?
An information risk management (IRM) program consists of aligning your information assets to a risk analysis, creating IRM policies that formalize the reasoning and decisions, and communicating these decisions with senior management and the Board of Directors. The National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) both provide guidance for establishing an IRM.