Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Risk Scoring Basics
April 30, 2021
We’re all familiar with olfactory fatigue – when we’re exposed to an odor long enough, we can’t smell it anymore. Then someone else comes into the room, and wow, that’s a strong scent.
Risk fatigue is similar. When we’ve faced a certain risk long enough, we no longer “feel” its true importance. Cybersecurity leaders often face risk fatigue, as newly identified risks seem more significant compared to risks that have been present for a longer period of time. This can result in priorities that aren’t aligned to the organization’s true risk: budgets aren’t properly allocated, and resources are focused on risks that don’t represent the greatest threat to the organization.
If we’re able to consistently measure, we can identify our real risk and areas of risk fatigue. In its simplest form, risk is scored as a product of impact x likelihood. In cybersecurity we often talk about risk in terms of threats and vulnerabilities and how easily they can be exploited. This isn’t the totality of risk, but rather is one part of the overall equation. An easily exploited vulnerability may create a high probability of exploitation, but we must also consider the potential impact. For example, if an easily exploitable vulnerability that would put customers’ private information at risk is present on a critical business system, then we have a high impact and a high likelihood, resulting in a high-risk rating. If the vulnerability is on a standalone system that feeds the daily cafeteria menu, we have a much lower impact and lower risk.
Real-world quantitative cybersecurity risk analysis is incredibly complex, requiring significant data inputs such as system valuation, data, and process mapping, along with financial impact analysis associated with every workstream in the organization. Even for organizations that have done a full business impact analysis, it can be difficult to quantitatively assess impacts, and because of the adversarial nature of cybersecurity, it’s virtually impossible to quantify probabilities. For both calculations, expert analysis is as important as the data required to make the case. The good news is if we’re applying our risk analysis consistently, we get what we need from our risk scoring: the ability to rank risks against each other from high to low.
Once we can score our risks, we can take the next step and rank them from high to low. While this process is often called a risk registry, it’s technically more of a risk log (fortunately most compliance audits will accept this as a form of registry). The next risk registry step is to assign risk treatment options. We call it treatment rather than remediation because remediation is only one of the options available for treating risk: we can remediate, avoid, share or retain (accept) the risk, and each option has its place in our risk log.
Two more items should go into the risk registry: you/your team’s expert recommendations for the risk treatment and a residual risk rating or score. Your registry should have a defined plan for each of the risk treatment options above, and now you select which ones to propose to organizational leaders for approval. Once these steps are completed, we will consider residual risk.
Additional items that may be useful to add to your risk registry include specific lines of business that could be impacted, technical or procedural risks, date of entry into the log, categorization of items against a compliance standard or security framework and resource requirements/level of difficulty to enact the risk treatment plans.
Now that you have a functional risk registry, it needs to be managed on an ongoing basis.
As you begin building your robust cybersecurity risk management program, implementing a risk registry is an upfront solution to reducing the impact of risk fatigue.
April 06, 2021
Getting approval for cybersecurity priorities is tougher than ever. Here’s some advice on talking to the board about the new IT security realities.
February 18, 2021
Risk assessments must consider people, process and technology. A three-tiered approach reduces risk and exposure.
December 02, 2020
This post articulates the five key principles for building operational resilience across the organization.
Let us know what you need, and we will have an Optiv professional contact you shortly.