In this video, Kip Boyle explains how to balance information collection with information overload. Determine how often organizations should measure cyber risks, based on key factors.
- With your initial risk measurement completed, a natural question is, how often should I do this? The first person you should speak with is your boss or executive sponsor. One of your information security program goals is to support them. So make sure they support the decision on the frequency of measurement. Here are some guidelines for when you should schedule new measurements. First, you want to measure risks at least annually but not more than quarterly. The pace at which you can make useful changes to reduce risk will be a major planning factor.
The cost to do your second measurement will be 50-70% of your first one, so consider affordability. Finally, consider the natural planning cycle of your business. If your company is growing rapidly, you may need to measure more often than would a slower growth organization. Now there may be special situations that will affect the frequency of risk measurement. These situations are often signaled by trigger events. These may be caused by major changes you've made by following your risk reduction roadmap and closing gaps.
An example would be having a very high risk area where it's crucial to bring down the risk as much as possible, as quickly as possible. The protection of credit card data can cause this level of intensity. In this case, you may want to verify the risk reduction by measuring a couple of months after completing the improvements. Another trigger may be the result of major changes others have made that affect the gaps, such as reorganizing their department, contracting with a new vendor, the acquisition of a competitor, an internal launch of a new line of business or the opening of new offices in another state or country.
Finally, major changes on the external landscape can trigger a special situation justifying new measurements. New laws or regulations that create new gaps or new threats by criminals that affect existing gaps.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance