Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Cybersecurity Risk Assessment Tiering
February 18, 2021
Cybersecurity professionals use the word “risk” extensively, but it’s a word with multiple meanings that different people may interpret in different ways. What risk means depends on who’s using the word and the context in which it's used. The same applies to “assessment”: is it a review, a measurement, an opinion or a combination of multiple things?
It’s no surprise, then, that the term "risk assessment" means different things to different people and organizations. By breaking down a risk assessment into its basic components and then reassembling it, it becomes clear how it applies to cybersecurity.
In cybersecurity circles, we should always use the formal definition of risk to eliminate confusion. But even major security standards bodies don’t agree on a single definition. The term also takes on slightly different meanings even within the same bodies.
While definitions differ, it’s important not to let them wrap you around an axle. When it comes to risk management, organizations should leverage and apply them to the framework they use. And assessments should take account of overall business strategies and directives as they apply to information, not just the protective controls applied to protect it.
For more than three decades, information or cyber risk management has often been associated with three parameters; people, process and technology. Cybersecurity risk assessments that don’t consider all three elements are incomplete and result in flawed assessment recommendations. By way of analogy, imagine a three-legged stool with one or two legs missing.
Challenges do arise when applying the methodology, though. The stool analogy sounds simple, but who are the people? Are they IT staff, cybersecurity staff or someone else? What is the process? All processes aren’t equal, and more to the point, which one is “best” depends on the specific organizational context. The same goes for technology. There are fantastic tools that may be wrong for your situation.
Risk assessments should study how the business operates and model the risk assessment process to those unique dynamics. A three-tiered approach, with each tier focused on a specific set of responsibilities and knowledge, helps address multiple challenges.
Tier 1 is the top of the model, the organization level where leadership makes core decisions and defines business strategies. Directives from these processes flow to tier 2.
Tier 2 is focuses on fulfilling the business mission by establishing rules and standards that operate across the organization. In our case, these rules and standards apply to protecting information.
Tier 3 is the most technical of the three levels – this is where cybersecurity controls are applied to protect information and the responses to these controls are measured and reported up the chain to provide management assurance.
This model sounds simple. And it is, until you consider the organization’s internal and external influences. If we include those, the model expands as depicted in Figure 1. This figures in some of the complexity that cyber risk assessment include.
Figure 1: Risk Assessment Tiers
The management responsibilities in each tier are:
The way risk organizations assess and manage in tier 3 is vastly different from tiers 1 and 2. Why? Because each tier is the responsibility of a different level of management within the organization.
Organizations that realize they need a risk management program (which is really all of us) define an enterprise risk management program (ERM) – they may call it something else, but it’s a risk management program that addresses risk throughout the company. In most organizations, the ERM documentation contains relatively little information about managing cybersecurity risk, as the language becomes very technical very quickly. Remember, leadership at the organizational level – i.e. the board and C levels – defines and monitors the ERM. Since these people aren’t typically cybersecurity experts, ERM documentation mandates the creation of a management policy and supporting program that includes cybersecurity risk management (CSRM) that reports risk metrics to the ERM program, the senior leadership team and the Board.
This means that the ERM and CSRM touch at level 2. Because of this, simply assessing cybersecurity risk at the IT level provides a limited and incomplete assessment unless it considers the organization’s strategy, the processes, and the information security management standards created in tier 2 that apply to tier 3.
A cybersecurity risk assessment doesn’t necessarily mean a full-blown enterprise risk management assessment is a requirement. It simply means the cybersecurity risk assessment must be aware and take account of the impact, constraints and requirements associated with decisions and actions made elsewhere in the organization.
This three-tier approach to cybersecurity risk management, which we employ at Optiv, provides and assures organizations that the results of the assessment will improve risk communication, support improved risk reduction and reduce risk management costs over time.
June 26, 2020
Our risk assessments provide a holistic view of cyber risk throughout your organization or agency.
June 08, 2020
Optiv’s Work from Home Assessment identifies, reviews and prioritizes strategic risks associated with remote workforces.
November 07, 2019
With risk transformation, it can be difficult to bridge the gap between assessment and implementation.
Let us know what you need, and we will have an Optiv professional contact you shortly.