You’ve worked hard to develop, implement, and continually improve your cybersecurity program, recognizing your organization has some level of inherent risk.
You’ve also been successful in obtaining increases in cyber spending that have allowed you to purchase and deploy modern security solutions.
You’re feeling confident and optimistic about the outcome of a recently completed cyber risk assessment, and then you see the report… What are all these risks?
How can there still be risk when you’ve thoughtfully implemented reasonably strong security controls?
In cybersecurity, risk is a constant and is often necessary to allow for innovation, progress, and organizational success. Mature third-party risk management (TPRM) programs identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.
One of the primary tasks of risk management professionals is to determine how to respond to risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial. We must also realize that while it may sound like a worthwhile goal, zero risk isn’t feasible nor practical.
In this article, I explore inherent risk, residual risk, and common risk misconceptions that can lead to confusion and frustration.
Misconception #1: All Risk Is Bad
Those of us in the Risk Management industry tend to think of risk only in a negative light. In reality, risk is often quite necessary to allow for innovation, progress, and organizational success.
Imagine an educational institution that decides to take every conceivable step to remove all risk from their IT environment. “The internet presents risks – shut down access!” “Data sharing via removable media presents risks – block all storage devices!” “Mobile computing presents risks – take back all laptops!”
You can see how attempting to completely eliminate risk could be quite impractical and detrimental to achieving organizational goals. Mature cyber risk management programs will identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.
Misconception #2: Risk Can Be Eliminated
It is tempting to believe that inherent risk can be eliminated through the implementation of strong controls. In reality, there is no way to completely eliminate risk, and as I pointed out above, that’s ok. We couldn’t eradicate risk even if we were willing to suffer the negative consequences. There are several factors that contribute to risk which are important to understand.
A threat is any circumstance or event with the potential to do harm or have an adverse impact.
A vulnerability is a weakness that could be exploited by a threat source.
A risk represents the potential for loss or damage when a threat exploits a vulnerability. Risk is often expressed as a function of the likelihood of a threat event’s occurrence and the potential adverse impact should the event occur. The two main types of risk are:
Inherent risk is calculated without taking into consideration the effectiveness of security controls that may or may not be in place. In TPRM, we think about the criticality and volume of data shared with a third party, or how deeply our business relies on a third party as part of inherent risk analysis.
Inherent risk analysis answers questions like the following:
- What general risk does this third party pose?
- If this third party has a cyber incident, how bad could it be?
- How is inherent risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least inherent risk ranked relative to one another?
Residual risk is the amount of inherent risk that remains after controls are accounted for.
Residual risk analysis answers questions such as:
- What specific risk does this third party pose?
- What types of cyber incidents are likely to affect this third party?
- How effective is a particular control in relation to a particular threat?
Ok, so what do all these definitions really tell us?
Allow me to illustrate with a few examples:
In order to eliminate the risks related to earthquakes you would need the power to control the movement of tectonic plates.
In order to remove all risk related to a state-sponsored hacker you would need to be able to persuade them that hacking is bad, or… eliminate them altogether.
Of course, I’m being a bit facetious, but I hope I’ve illustrated the point. There are risks that cannot be completely removed without the power to eliminate associated threats and threat actors.
Misconception #3: Performance Assessment = Risk Assessment
The objective of many security assessments is to identify the degree to which controls are in place, operating as intended, and producing the desired results. This type of assessment is particularly good at verifying vendor compliance and identifying areas of non-compliance with applicable standards and policies. However, if the assessment stops there it is missing a very important element – risk. Let’s look at an example.
During the course of a security assessment it is determined that a healthcare organization has implemented robust malware detection technology to identify known and unknown attacks. The anti-malware tools are updated with new signatures in real-time and sensors are placed throughout the organization’s external-facing and internal network. This sounds like a reasonably strong control implementation. The organization might assume that they have a fairly low level of malware-related risk and choose to take no additional actions.
But what happens when we consider other factors?
Consider that the healthcare industry creates, processes, transmits, and stores vast amounts of protected health information (PHI). PHI is one of the most valuable data types on the black market and is therefore the target of intense and frequent hacking attempts by well-funded and highly capable, malicious actors. To get a better understanding of risk, we should take into consideration factors such as the capability, determination, and motivation of potential attackers, as well as the frequency and impact of successful attacks. These characteristics lead us to an estimation of inherent risk.
In our example the inherent risk is likely quite high. Considering this high level of inherent risk, we may determine that a medium level of residual risk remains, despite the strength of the anti-malware control implementation.
The situation presents a potential conundrum. You might be thinking, “The healthcare organization in your example has done everything they can. How are they supposed to respond when they are told that they are still at risk?” There are a few things that an organization in this situation may choose to do.
In our example, the organization may:
- Place additional monitoring and alerting functionality around their standard anti-malware control implementation.
- Increase the ingestion of threat intelligence information related to malware attacks.
- Increase staffing for SOC analyst positions.
- Require SOC analysts to attend additional training on how to identify and respond to the latest malware attacks.
- Take no action, which is always an option when all other reasonable steps have been taken.
Getting Comfortable with Risk
In conclusion, risk is a constant. One of the primary tasks of cyber risk management professionals is to determine how best to respond to inherent and residual risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial to success.
We must also realize that while it may sound like a worthwhile goal, attempting to completely remove all risk is ineffective and unproductive.
And finally, the days of getting by with compliance-focused, checklist-style assessments have passed. This is why you need a third-party risk management platform that provides risk-prioritized data that allows you to make informed decisions about what residual risks are acceptable and what risks must be addressed. To learn more about how CyberGRX and ProcessUnity can help you identify your critical risks and make smarter vendor decisions in less time, reach out to our team.