Be SMART and Make Your Cybersecurity Risk Mangement Program Actionable

Last time, I discussed evaluating alternative strategies for building your information security management system and rationalizing your security controls based on the context of your organization.

As a reminder, COSO has 5 guiding principles and we are at the second guiding principle of Strategy and Objective Setting.  This principle is comprised of four points:

1. Analyzes Business Context

2. Defines Risk Appetite

3. Evaluates Alternative Strategies

4. Formulates Business Objectives

This week, we’ll tackle the 4th point -- Formulates Business Objectives

Just as an organization must develop business objectives that are specific, measurable, attainable, relevant, and timely, so must your cybersecurity risk management program.  

Defining business objectives makes business strategy actionable.  

Determining risk tolerance makes risk appetite actionable.  

You must define metrics against which to measure your cybersecurity program to ensure the organization is working within its specified risk tolerances. Techniques such as The Open Group’s FAIR (Factor Analysis of Information Risk) can help quantify risk and risk tolerance; however, cybersecurity is not an exact science.  

Consider using a combination of quantitative and qualitative metrics. Trust me, there is room for both in your life. Just like the Star Wars vs. Star Trek debate. Stop it… 

My good friend, Caroline Wong, states in her book “Security Metrics, A Beginner’s Guide” that metrics provide three primary benefits (Wong, 2012):

1. Measurement provides visibility.

2. Measurement educates and provides a common language for understanding the cybersecurity program.

3. Measurement allows for improvement by enabling efficient management, investment planning, and decision making, while driving any necessary change throughout the organization. 

Your organization will likely have a different risk appetite for various business units or systems. 

This means that risk tolerances may differ for different systems or assets. 

In other words, metrics may change or have different meanings depending on the context. I will dig into metrics in future posts, but for now, here are three things to consider:

1. Understand tools and reporting resources that are available to allow you to define and gather metrics.

   o   You can’t measure data that you can’t collect

2. Define metrics that integrate your cyber risk appetite and risk tolerance, which if you recall, are derived from your organization’s risk appetite and risk tolerance. These should come in the form of Key Performance Indicators, which are lagging and measure the past, or Key Risk Indicators, which are leading and give you insight into what may happen in the near future.

3. Remember your audience. Different metrics are necessary for different levels within the organization.

   o   Operational metrics focus more on data that allows you to manage day-to-day operations and are meant for individual contributors and front-line managers.

   o   Executive and board-level metrics concentrate more on information and provide leadership with insight into how the cybersecurity program is performing, over a period of time, to allow them to make informed business decisions. 

Congrats! You have stuck with me through the 2nd COSO guiding principle of Strategy and Objective Setting! Next time, we’ll start on the 3rd COSO guiding principle of Performance. 

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Thank you and have a great week.