Once you have determined your approach to improving your cyber risk management and pinned down your cyber security strategy, you are ready to start implementation.
The first step is to identify and prioritise your cyber risks by understanding the information you need to protect, then identifying the threats you are trying to protect it from. You then need to work out the controls you have in place to protect the information and where you have gaps.
Your cyber security strategy will have determined the principles, standards and/or frameworks you will adopt to guide you through these steps, and you may turn to external specialists for independent and deeply experienced support.
You will be undertaking risk assessment and/or gap analysis activities in support of an organisational commitment to improve your cyber security posture. Improvement is only possible if you have an established position or benchmark from which to measure change – these activities allow you to create that valuable baseline.
A thorough and structured assessment of your cyber risks will lead to priorities for your organisation. This, in turn, ensures you deploy your precious resources to effectively and efficiently protect your most important assets. Conversely, it means you don’t waste time and effort protecting the wrong things.
An established approach – framework or standard – means you don’t have to reinvent the wheel and specialist support helps you to avoid common pitfalls.
Ascentor uses well-known cyber risk management principles to identify and prioritise risks. We typically select the US National Institute for Standards and Technology (NIST) Cybersecurity Framework and the Centre for Internet Security (CIS) Top 20 Critical Security Controls to support our work.
Using the principles, standards and/or frameworks we have mutually agreed as an initial baseline, we use our tried and tested four-step Gap Analysis process to identify how near or far you are from your goals.
Once we have a clear picture of the gaps, we assess the associated risks. First, we identify the inherent risk, then calculate residual risk taking into account the mitigating controls identified during the gap analysis and the organisational risk appetite. This process informs the priorities for any remediation work.
A thorough and structured assessment of your cyber risks will ensure you deploy your precious resources to effectively and efficiently protect your most important information assets.