We’ve now reached part three in our four-part series about security program development. The series aims to provide an overview of creating a cybersecurity posture for your organization’s distinct needs. If you haven’t read parts one and two yet, we highly recommend starting there to get the complete picture. As a general rule, there are four key phases to security program development for most organizations—this post reviews phase three, or the Deploy Risk Treatments stage.
Phase Three of Security Program Development
You’re now more than halfway through the process of developing a security program for your organization. Nice work! In phase two, we discussed identifying your level of ‘risk appetite’ (i.e. how much residual risk is acceptable to your corporate culture and industry). Now that you’ve done that, you’re ready to look at risk treatments.
The first step in deciding which risk treatments to deploy is to form a team of key internal stakeholders. We recommend creating a group so that decisions can be reached collectively and, hopefully, with some consistency. Once you’ve identified your internal team, you’ll begin looking at your cybersecurity risks on a priority basis (most urgent to least urgent). From there, you will select an option (more on this below) to reduce each risk to a level in alignment with your overall risk appetite.
Your Options for Treating Risks
When it comes to treating a known cyber risk, you really only have four options to consider. We’ve detailed the options below.
- Option A: Avoid a Risk: Let’s say you have an old server that can’t be fixed because the vendor stopped supporting the application it ran years ago; you may choose to migrate your data to a modern server that doesn’t have the risk while securely disposing of the old stuff. Risk eliminated and therefore avoided.
- Option B: Transfer (or Share) a Risk: Some risks are appropriate for you to carry and for cybersecurity insurance to handle. However, it’s proving increasingly difficult to obtain cybersecurity insurance without a formal security program (which you’re in the middle of implementing, so you might be in luck!). For some situations (where appropriate), you could also consider sharing the risk through contract wording with your customers, suppliers, or partners.
- Option C: Implement a Risk Control: Implement a policy, deploy some technology, implement a new mitigating process… whatever you choose, find a way to control the risk to a reasonable level, a level that is in harmony with your risk appetite. The Risk Control you decide to implement will look different depending on the specific risk. The point of this is that you’re proactively looking to introduce a measure to control the risk.
- Option D: Accept a Risk: Some things in life can’t be controlled, and in some scenarios, it may simply make sense to accept the risk. For those situations, develop a process to periodically review the risk with your internal stakeholders. Review the risk with your team to see if the situation has changed and if there are new options for addressing the risk more thoroughly.
You may choose different treatment options for various risks. All the treatment options you choose ultimately form your project plan. Deploying your plan and customized security controls will eventually get you to your stated security program objectives! Once you reach this stage, you’re tailoring solutions to meet your organization’s needs, and it’s just a matter of deploying each of them on a risk-by-risk basis.
Of course, if you need guidance in assessing your risks and understanding what treatments might be available and appropriate, or perhaps help with deploying the controls, SeekingFire Consulting Inc. is here to help. We’re proud to work with small to medium-sized clients across Western Canada on their cybersecurity needs. We offer free consultations to all prospective clients. Please reach out to get the conversation started.
Disclaimer
While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.