In this video, Kip Boyle explores strategies for packaging information for consumption. Explore how to construct an annual program of cyber risk work for an organization.
- [Instructor] In order to maximize your information security programs effectiveness you'll need to make sure it grows and changes in response to its environment and the best way to do that is by establishing an annual program of work. Operating your information security program will demand a lot of your attention. Without excellent planning, prioritization, and execution you'll be so busy responding to problems there won't be time available to make useful changes to your own program. The context in which your information security program operates will change constantly due to forces such as your organizations goals and objectives, changes in the way the organization serves its customers and generates revenue, new legal and regulatory requirements, changes in the threat landscape, and the size and structure of your organization.
The best way, I have found, to keep up is to make and follow an annual program of work. This calendar-driven program will weave together three distinct workflows. The first one is designed to fully prepare you for annual budgeting. The second workflow is for conducting annual risk management activities. And the third workflow is for regularly reporting the progress you make managing your top risks. Many of the events in these workflows only happen once per year but in a particular sequence.
There are annual events that are scheduled in a particular month. These are budgeting and risk management activities. And based on my approach there are many triannual events, meaning they happen three times each year, each one in a particular month. I assume your annual budgeting exercise happens in the 4th calendar quarter each year. If that's not true for you then you'll need to adjust this timeline. And on that note, make sure the rest of your organizational calendar lines up with my recommendations. Feel free to customize it as you need.
So now, let's step through your annual program of work. Each September you'll conduct an annual review of the structure of your information security program, look at the types of controls you have and their sources. See if the design of your information security program will set you up for success in the coming year. Also, make a triannual update to your cybersecurity score card to capture all the progress you've made from risk reduction activities. Let's look at October.
Whereas last month you updated your scorecard, this month you'll publish it to your stakeholders as part of your triannual communication activity. Your goal is to show progress managing information security risks. You'll also perform your annual review of processes for measuring information risks. Here are the minimum questions you should ask. Do I need to revise target scores for any of my controls? Am I measuring cyber risk in the right places? Do I need any new controls? And do I need to remove or revise any controls? Be sure to consult with your team and stakeholders to make sure you don't overlook anything.
Each November you'll conduct your annual review of processes for understanding information risks. Here are the minimum questions you should ask. Should you change how you're analyzing your data? Do you need to revise the questions you're trying to answer with your analysis? Should you bring in any other statistical calculations? Should you try any new data visualization techniques? And are there new ways to understand your leadership landscape? Each December you'll conduct an annual review of your process for managing information risks.
Here are the minimum questions you should ask. Are there newer and better ways to generate options for risk reduction? What about new ways to estimate costs or benefits? And are there new formats for proposals you should be using? In January, you'll perform your triannual scorecard update to capture all the progress from risk reduction activities since September. And you'll also begin your annual measurement of information risks by revising your project plan and updating your methods based on the last three months of review.
In February, you'll publish the triannual scorecard to all your stakeholders and you'll continue the annual measurements of risk. In March, you'll complete your annual risk measurements. In April, you'll analyze the risk measurements you did over the last three months to understand your new risk posture. During the month of May, make your triannual scorecard update with progress from current risk reduction activities and prepare annual proposals for new risk management efforts based on the annual risk measurement you just analyzed.
In June, communicate your triannual scorecard update showing progress since February and get support from your boss and other key stakeholders for your new risk management proposals. In July, create your annual budget requests for submission into the next budgeting cycle. And in August, of course, take your holiday.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance