In this video, Kip Boyle explains the dangers of running an information security program without a data-driven risk management approach. Explore why program leaders should use a data-driven risk management method.
- [Instructor] An essential function of an information security program is the management of cyber risk. You'll manage it on a daily basis as part of the operational and project functions your team performs. But you only have a limited number of resources to manage an endless number of risks. How will you know which risks are worth the effort to manage? It's not enough to have a bunch of high, medium, and low risks. As a manager you need to know how to prioritize your top risks so you can smartly allocate your resources to get the biggest benefit.
Now to manage something well, you need to be able to measure it. That means you need data. Just like a road trip, you know where you started from, but you also need to know where you're going to and you need a way to measure your progress and you need to know when you arrive so you can stop working so hard. Your cyber risk management options fall along two dimensions. The first dimension is methodology, which is the step-by-step process you'll follow. There are formal methods such as ISO 27005, NIST Special Publication 800-37, Factor Analysis of Information Risk, and Risk IT, which is integrated with COBIT.
These are all well-documented, structured methodologies. They are thorough and often complex. And when you use these formal methods, schedule concerns are often a secondary priority. As an alternative, there are also informal methods such as brainstorming the top risks as determined by the intuition of one or more experienced people. This is often considered quick and dirty and is best when you're in an urgent or emergency situation. The second dimension of options you have is how to do risk assessment.
You can follow a quantitative approach which will be very data-driven and use statistical models and algorithms. You will calculate such values as Annualized Rate of Occurrence and Annual Loss Expectancy. Your other option is a more qualitative approach. And this is favored when there's a lack of time or mathematical expertise. It has a heavy reliance on interviews. Results are often sorted into color-coded categories such as red, yellow, and green or high, medium, and low.
Before choosing, consider the organization in which you work. Formal, quantitative measurements may work best at an engineering or data-intensive company. In contrast, informal, qualitative measurements may work best at a company where quick, intuition-based decision making is highly valued by executive management. My bias is towards a balanced managerial view. I want my decisions based on data, but I also want to use the most practical method I could find, so I aim to strike a balance of the two dimensions.
Semi-formal so it'll be structured. And we can include experts from other parts of the organization in our work, but it won't take months of duration and effort. And semiquantitative, so we can have a reliable means of prioritizing our risks. And benefit from a simple few statistical calculations while avoiding the murkiness of simple red, yellow, green labels. Using our semi-formal, semiquantitative approach we'll be able to generate the first risk assessment in 60 to 90 days, depending on how large and responsive your organization is.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance