How to Measure Risk to Develop Your Security Roadmap

According to a study by Gartner, 64% of board directors say their organization is significantly altering its economic architecture to put more emphasis on the digital, while 88% say they recognize cybersecurity is a risk to the business. 

Developing a cybersecurity program that addresses the ever-changing threat landscape may seem daunting, but by breaking the process down into smaller steps, organizations can leverage their security program to achieve business objectives. One critical component of a solid cybersecurity program is measuring risk.

We sat down with senior consultant for BARR’s CISO Advisory practice, Jeff Hoskins, to talk about measuring risk for developing a sound security roadmap. Let’s take a look at his advice. 

Risk, Threat, or Vulnerability: What’s the Difference? 

While the terms risk, threat, and vulnerability are often used interchangeably, their distinctions and interdependencies have a significant impact on an organization’s security roadmap. 

“The terms risk, threat, and vulnerability can be easily confused,” said Hoskins. “Vulnerability is considered a weakness or gap in the system, while risk is the potential for loss. Risks happen as a result of a threat exploiting a vulnerability.” 

• Risk is the potential for loss, damage, or destruction of data caused by a cyber threat.
• Threat increases the likelihood of the exploitation of a vulnerability. 
• Vulnerability is a weakness in your infrastructure that could potentially expose you to threats. 

Measuring Organizational Risk

The first step to measuring risk is identifying threats. Start by making a list of threats to your organization’s digital assets. From there, give each threat a score based on two key factors: likelihood and impact. Likelihood is the product of a threat which could exploit a vulnerability, while impact is the potential loss associated with an identified risk.  

“Every organization needs to develop a framework for scoring,” said Hoskins. “However, ultimately, the level of risk is measured by likelihood and impact.” 

Risk = Likelihood x Impact

While having quantitative data to apply to your risk is helpful, risks must also be analyzed in relation to each other. That’s why developing a scoring system that works for your organization’s risk, threat, and vulnerability inventory is important to building a tailored cybersecurity roadmap.  

“At BARR, we use high, medium, and low to compare and prioritize risks. This helps us use resources as efficiently as possible during remediation.”

• High: Remediation should be developed as soon as possible
• Medium: Remediation can be developed within a reasonable timeframe
• Low: Prioritize and decide whether to accept or mitigate this risk 

Prioritizing Risk for Successful Remediation 

After risks are identified and scored, they must be prioritized according to their score and the level of difficulty of remediation.

“Creating a roadmap requires prioritization,” said Hoskins. “You’ll want to take a look at how difficult or easy remediating each risk will be and clarify timelines for these remediations. Some changes require simply having a technician change a configuration; while others may require years of sequential strategic efforts..”

Here are the options to take treat risks:

• Mitigate: Identify and apply fixes to counter the risk (e.g., setting up a firewall, establishing local and backup locations, purchasing water leak detection systems for a data center, etc.). Reduce the impact and/or the likelihood to bring the risk to an acceptable level.
• Transfer: Purchase insurance for assets or bring on a third party to take on that risk. 
• Accept: If the cost to apply a countermeasure outweighs the value of the loss, you can choose to do nothing to mitigate that risk.
• Avoid: Stop conducting the activities that create the risk. This option is usually detrimental to the operation of the business.

“The organization should maintain a Risk Register to show each risk, the scoring, and the treatments selected. The company should also tie an owner to each risk for continued management,” said Hoskins.

Once treatment decisions are documented, the Risk Register must be reviewed by the security leadership. Typically, this will be part of regular security committee meetings in which justifications are reevaluated and risks are continually analyzed and prioritized.  

Working with a vCISO

Organizations that have not yet appointed an internal Chief Information Security Officer (CISO) benefit from working with a virtual CISO (vCISO) to assist with measuring and prioritizing risks while maintaining a successful and efficient information security program.

At BARR, our CISO Advisory team works with clients in a three-phase process:

1. Gap Assessment: First, we work with you to identify gaps that are imperative to achieve your security objectives. 
2. Remediation: Next, we provide a roadmap for successful remediation, turning gaps into competitive advantages. 
3. Continuous Management: Finally, with the continuous support of a vCISO, we help weave security and compliance into the DNA of your organization.  

“Overall, we want to develop a strong relationship with our clients,” said Hoskins. “We work with you as long as you need us, however, some organizations may outgrow a vCISO and look to hiring a full-time CISO within their organization. At that point, we can stay with the organization to assist their CISO as needed.” 

Once your organization reaches the point of needing a full-time, in-house CISO, BARR helps conduct that search. Using our knowledge of your organization’s unique needs, extensive industry network, and expertise in people and culture operations, we pair you with the best-fit candidate.

“While there are lots of tools out there to conduct risk assessments, at BARR, we really talk to people. We want leaders at the table to help prioritize risks and equip you with the right remediation plan. Ultimately, we are here to help businesses operate but also pay attention to risks and make a plan for a more secure future.” 

Are you interested in working with one of our CISO Advisors on developing your security roadmap? Contact us today.