Assessing Substantial Change

Last time, I introduced the 4th COSO guiding principle of Review and Revision. This week, we’ll move on to the first point under Review and Revision, which is Assesses Substantial Change

Review and Revision has 3 points:

1. Assesses Substantial Change

2. Reviews Risk and Performance

3. Pursues Improvement in Enterprise Risk Management

The cybersecurity threat landscape is constantly changing; therefore, cybersecurity risks need to be continuously monitored to ensure they remain within the organization's risk acceptance and tolerance.

By establishing a methodology to continuously monitor risk, a new risk assessment, or at a minimum, the review of an individual risk, can be triggered to determine if risk priorities have changed. Keep in mind that it is also important to monitor risks that were previously accepted. Continuous risk measurement also helps drive a strong security culture throughout the organization.

Why would you continuously monitor risk if there were no assigned accountabilities for risk throughout the organization? Of course, you wouldn't. It would be foolish to waste time and resources if there were no accountability for actually doing anything about the newly identified or reprioritized risks.

Doing a one-time risk assessment or an annual risk assessment provides a snapshot of your organization's cyber risk profile. It is easy to get buy-in once a year to "get things fixed." It is much harder to get buy-in to respond to risk continuously throughout the year. This buy-in is another reason why the cybersecurity steering committee is so essential to establish. The roles and responsibilities for managing and responding to risk can be assigned and communicated at that level with buy-in across all key business units.

Here are 4 things you can start doing right now:

1. Stay aware of the changing cybersecurity risk landscape through sources such as subscriptions to free community alerts. Some examples include:

   • CISA Automated Indicator Sharing (https://www.cisa.gov/automated-indicator-sharing-ais)

   • InfraGard (https://www.infragard.org/)

   • SANS Internet Storm Center (https://isc.sans.edu/)

   • National Council of ISACS: Member ISACS (https://www.nationalisacs.org/member-isacs)

2. Develop KPIs and KRIs that allow you to monitor risks

3. Work with organizational leadership to get ownership buy-in and accountability for continuous risk management and mitigation

4. Communicate KPIs and KRIs and work with risk owners to ensure risks remain within the organization's risk acceptance and tolerance.

 Next time I’ll talk about reviewing risk and performance.

 As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.

 Have a great week!