Whilst many businesses now hold and maintain security risk registers, many do not have a clear statement of their cyber security risks, frequently including threats, threat actors, attack vectors, vulnerabilities, impacts and (occasionally) risks on their risk registers. This confused approach is often borne out of the historic approach to security, frequently either technology or breach led.
CSR solutions begin the engagement process by understanding what is to be protected, where those assets are, what security exists to protect them, and how they are managed and reported upon. Having completed this task, a revised and refocused risk management structure is introduced, centred around assets, services and operational sites.
Whilst security is often expressed as the need to maintain confidentiality, integrity and availability, for many businesses this results in a less focused approach to control and remediation as assets (for example) will have requirements in all three of the categories.
By focusing on five simple core risks under the revised risk management structure it is possible to better understand and report on the effectiveness of the control sets aligned to identify, protect, detect, respond and recover from a threat event.
Having refocused the risks and controls and developed the risk register, CSR solutions then help identify and align the threats to the risks/controls, identifying whether those controls are appropriate and fit for purpose. By using a repeatable and standardised template for assessing the design and operational effectiveness of the controls using quantitative methods, a dispassionate assessment can be made to develop a reporting and alerting process which has meaning.
Having built the framework for assessing the effectiveness of the risk management processes, this opens the door for the use of quantitative risk assessments, enabling a truer picture of the effect of introducing new products or systems, revising existing ones, or modelling the effect of the constantly changing threat landscape. Whilst many technologies are being developed to help this process, unless appropriate groundwork has been done, the output of those tools can be very misleading.