From a Compliance-based to a Risk-based Approach to Cybersecurity
Compliance-based approaches to cybersecurity have helped implement a minimum level of security but have failed to protect organizations. In a dynamic threat environment, forward-thinking organizations have come to the conclusion that the goal of total protection is elusive and that a risk-based approach to governance and management of cyber-security is necessary. That is easier said than done, as the way most information security professionals measure risk today fails to quantify cyber-risk in terms the business can understand and use.
Neither legacy approach provides the business-aligned, risk- and metrics-based approach to cybersecurity required by risk officers of the digital age.
GRC Tools
Of the Three Promises of GRC, Most Organizations May Be Realizing Only One: Compliance
Governance, Risk, Compliance (GRC) solutions promised to help organizations more cost-effectively govern their risk landscape, make better informed risk decisions and maintain compliance with standards and regulations.
However, many organizations are, at best, realizing only the compliance objective for the following reasons:
- No standard cyber risk model and taxonomy
- In absence of a reference risk model, most GRC risk registers are being populated with "risks" that aren't risks, such as control deficiencies that do not represent possible loss events
- Leads to inaccurate and misleading information
- Prevents the achievement of making well informed and cost-effective risk mitigation decisions (the "R" in GRC)
- Prevents effectively governing the organization's risk landscape ("G")
- Lack of timeframe estimates
- Many of the likelihood scales in GRC implementations do not include a timeframe reference
- Invalidates any quantitative analysis
- Ambiguity and inconsistency in likelihood values for risk entries
- Severely affects the ability to effectively prioritize and report on risk
- Many of the likelihood scales in GRC implementations do not include a timeframe reference
- Misaligned likelihood and impact estimates
- GRC products mostly provide ordinal rating scales (such as 1-5) for likelihood and impact which lead to poor risk estimates
- Users are forced to choose a value along the continuum vs. applying probability distributions
- Struggle to maintain the alignment between most-likely, worst case, etc. scenarios for likelihood with the high, medium, low scenarios for impact
- Leads to information of poor quality
- GRC products mostly provide ordinal rating scales (such as 1-5) for likelihood and impact which lead to poor risk estimates
- Qualitative rating scale definitions
- Most qualitative rating scales definitions (high, medium, low, 1, 2, 3, 4, 5) are described in other qualitative terms, so that "high" could mean "significant impact on operations"
- Descriptions are very open to interpretation
- Results in inconsistent ratings
- Inability to reliably prioritize risk
- Most qualitative rating scales definitions (high, medium, low, 1, 2, 3, 4, 5) are described in other qualitative terms, so that "high" could mean "significant impact on operations"
- Multiplying red, yellows and greens
- Many risk rating systems rely on matrixes where users have to correlate or multiply red, yellow or greens or 3 times 2, where the numbers are based on an ordinal scale
- Gross approximations
- Very subjective and error-prone
- Leads to Inaccurate assessments and poorly informed decisions
- Many risk rating systems rely on matrixes where users have to correlate or multiply red, yellow or greens or 3 times 2, where the numbers are based on an ordinal scale
If the "R' in an organization's GRC implementation is bad enough, the organization may be checking compliance boxes, but it may not be addressing the most important gaps first, or optimizing its gap mitigation choices. If this is the case, then the organization may not be fully realizing even the "C' in GRC.
RiskLens can help you get the 'R' back into GRC.