Receiving your CyFun assessment results can feel overwhelming, but it’s important to start simple and build a structured approach. Here's a roadmap to help you navigate the next steps:
1. Identify and Define Risks
Begin by identifying five key risks that are most relevant to your organization. But what exactly is a risk?
- A risk is an event that could negatively impact your organization.
- It is characterized by two factors: likelihood (frequency of occurrence) and impact (the severity of its effects).
To evaluate risks, define a scale for both likelihood and impact:
- Impact Scale: Very Low, Low, Medium, High, Very High
- Likelihood Scale: Once every day, week, month, or year
You can customize these scales to suit your organization's context. For example, consider industry-specific factors, operational nuances, or unique business challenges. Documenting these scales and evaluation criteria lays the foundation for a formal risk management process.
2. Conduct Risk Analysis
Once your scales are defined:
- Assess the likelihood and impact of each identified risk.
- Prioritize risks based on their combined scores.
This analysis doesn’t need to be perfect initially; refining the process over time is a natural part of building a robust risk management system.
3. Develop a Risk Treatment Plan
After analyzing the risks, decide how to address them. You have several options:
- Reduce the Likelihood: Implement measures to lower how often the risk occurs.
- Example: If a risk currently occurs daily, implementing a control could reduce its likelihood to once a month.
- A specific action, like enforcing multi-factor authentication (MFA), can reduce the likelihood of an account compromise.
- Reduce the Impact: Focus on limiting the consequences if the risk materializes.
- Example: Instead of affecting the entire organization, a risk could be mitigated to only impact a specific team
- Accept the Risk: In some cases, it may be more cost-effective to accept the risk if its impact is less significant than the resources needed to mitigate it.
- Avoid the Risk: Eliminate activities or processes that introduce the risk altogether.
Documenting the rationale for your decisions not only ensures clarity but also helps align stakeholders with your approach.
4. Align Risks to Controls
For each risk, identify specific controls from relevant frameworks (e.g., ISO 27001, NIST, or CyFun). This mapping:
- Creates a business case for implementing the controls.
- Helps justify investments by demonstrating how they mitigate real-world risks.
For example:
- Risk: Compromise of sensitive user accounts
- Control: Multi-factor authentication (MFA)
- Result: Reduction in the likelihood of compromise
5. Iterate and Improve
Risk management is an ongoing process. Regularly revisit and refine:
- Your risk definitions and scales
- Treatment strategies
- Control effectiveness
By starting simple and documenting every step, you’ll steadily build a comprehensive, tailored risk management program that aligns with your organization’s goals.
Author: Robert Dirks