How To Develop A Security
Risk Management Plan

Learn how PurpleSec’s experts can help manage your organization’s cyber risk.

Author: Rich Selvidge, CISSP / Last updated: 5/22/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM & Seth Kimmel, OSCP

View Our: Editorial Process

There are three main steps to developing and implementing a risk management plan for cyber security including Assess Cyber Security Risks, Prioritize Cyber Risks, and Identify Cyber Security Risk Prevention And Mitigation Strategies

There’s no denying that we’re living in an era of unprecedented events, be it in the form of health emergencies, natural disasters, or volatile diplomatic ties. We’ve witnessed the cost that businesses have had to incur when they scrambled to secure their assets in the face of unforeseen cyber attacks.

Oftentimes, lack of preparedness leads to huge losses that could have otherwise been avoided if a well planned risk management framework was put in place.

While a large number of turnkey solutions are available for you to pick up from where you were left behind and get started, they’re not always robust and reliable because one size does not fit all when it comes to securing your assets.

There’s disillusionment when the investments made in the space of managing risks do not pay off and in turn, lead to technical debts. Executives lose faith in the measures and there’s a downward spiral in the confidence scores of security solutions that otherwise look lucrative.

A well-conceived personalized risk management plan can help you put on the table, the unique needs of your business and address them in ways that provide the maximum return on investment. This will be your stepping stone in building a cyber security program that serves in your best interest.

In this article, we introduce you to the basic premise of cyber risk management. We will walk you through the steps to create a thorough and successful cyber security risk management plan.

After you’ve read through the various stages of preparing a risk management plan, you will be able to create a risk management plan for your organization. Let’s begin by defining cyber risk management.

What Is Risk Management In Cyber Security?

Cyber risk management involves identifying, analyzing, and mitigating events that may compromise your digital assets and have a devastating impact on your business.

It is the ongoing process that must be designed to adapt to the changing landscapes and requirements that rapidly evolve with the evolution of the way businesses are conducted across the globe.

A core principle of any effective cyber security strategy is risk management. For example, the NIST Framework for improving critical infrastructure cyber security is built on it.

Government agencies certify their information systems’ operational security against the FISMA Risk Management Framework’s standards (RMF).

Who Is Responsible For Risk Management?

A Chief Information Security Officer (CISO) plays a pivotal role in managing cyber risks of an organization.

Being at the helm of addressing the cyber security needs of the company and liaising between the upper-level management and the IT teams, the CISO is majorly responsible for the following tasks around information security:

• Garnering support from upper-level management on the measures to be taken while encountering security vulnerabilities.
• Managing budget and allocating funds toward priorities outlined in conjunction with the executive board.

The Importance Of Risk Management In Security

With the rapidly changing technological landscape and the proliferation of digital services as a result of the Covid-19 pandemic, the world is witnessing an exponential increase in cyber attacks.

A vast majority of the workforce connecting remotely, and disruption in the supply chains owing to incongruous processes and misalignment with partners, organizations have had to grapple with multiple challenges.

According to a recent survey conducted by the World Economic Forum Centre for Cyber security, the top three cyber threats leaders are concerned about are:

1. Infrastructure breakdown due to a cyber attack
2. Identity Threat
3. Ransomware

81% of the survey respondents opined that staying ahead of cyber criminals is becoming more and more challenging.

This calls for an ever-increasing need for scalable threat management models and cyber resilience in the guise of a robust Security Risk Management plan that should encompass the following factors:

Identify And Manage Blind Spots

Accurately identifying the current state of your assets and mapping them to the optimal or desirable state will help identify the weaknesses in your defenses.

When you lay out all the factors before you proactively, you unfold several knots that would not have been identifiable in a reactionary approach. A risk management plan can help you close these gaps.

Identify Emerging Threats

A mature risk management program should be updated frequently to keep up with the constantly changing threat landscape.

Organizations should also exercise prevention measures to mitigate damages.

It’s often a question of when, not if, but you can control the damage an attack does by implementing a solid risk management plan.

Identify, Manage, and Counter Cyber Threats

Be vigilant and aware of threats and educate employees about emerging threats and the relevance of the various types of cyber security risks.

Once identified accurately, you can manage the threat depending on the mitigation steps.

Create And Implement An Incident Response Protocol

A well structured incident response strategy helps in effectively identifying the threat and putting the team to action to minimize risk while the incident responders get sufficient time to respond, thereby minimizing the financial and reputational impact of the incident.

Streamline IT Systems

Regular inspection and audit of IT systems will spare you from surprises in terms of security breaches as well as help you with defining an incident response channel and prioritization of response.

Ensure Data Safety And Regulatory Compliance

Any business runs on trust and regulatory compliance proves to your customers your commitment toward the safety of their data, as well as your reputation of being an ethical entity.

Risk Management Frameworks To Consider

Working within a framework governed by guidelines and best practices, helps us narrow down on threat recognition and response and minimizes the impact of a threat outcome.

Any cyber security risk management plan should incorporate a framework that can seamlessly integrate into the existing security management process.

Managing these systems within a well structured framework helps organizations to reduce the response time and accelerate the resolution of security breaches.

Frameworks are voluntary and meant to serve as guidelines that take into consideration people, processes, and technology (PPT) at the same time defining specific roles and responsibilities within the organization in addition to governance and reporting.

There is a wide array of risk management frameworks that you can choose from depending on the needs of your organization.

ISO 27000

ISO 27001 is an international standard for securing information assets of an organization and helps ensure the confidentiality and integrity of consumer data.

This framework advocates close to 114 controls. An ISO 27001 certification helps businesses secure trust among consumers, as compliance with such a world-class standard is an indication of the business’s commitment to securing customer data.

Depending on the size of your company it may take up to 18 months to complete the certification if the total number of employees exceeds 200. define in the policy.

NIST CSF

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) is a seven-step process that guides an organization in accomplishing information security objectives.

It is based on five key elements including:

• Identify
• Protect
• Detect
• Respond
• Recover

NIST CSF certification is desirable for any organization responsible for delivering products and services linked to critical infrastructure and global supply-chain.

It could take from a couple of weeks to years to implement this framework.

DoD RMF

The Department of Defense (DoD) RMF was formulated by the US Department of Defense to strengthen the cyber security of Federal Networks and Critical Infrastructure.

The framework uses security controls and authorizes the operation of Information Systems and Platform Information Technology Services.

Any private institute that conducts business with Government entities should also comply by the guidelines postulated in this framework.

FAIR

The Factor Analysis of Information Risk (FAIR) enables organizations to quantify security risks in terms of financial liability.

The governing principles of this framework are the duration of a security event and the financial impact it has.

This model helps CISOs to quantify the financial impact on a probable security risk based on statistical calculations.

You can combine the FAIR framework with other frameworks such as NIST CSF to achieve comprehensive cyber security coverage.

PCI DDS

Payment Card Industry Data Security Standard (PCI DSS) is a security standard put in place to ensure safe and secure transfer of credit card data.

Organizations that store, process, or transmit payment or customer data are required to comply by this standard.

CIS Controls

The Center for Information Security (CIS) controls are a prioritized set of standards and best practices for mitigating widespread cyber attacks against systems and networks.

These controls were put in place as a collaborative effort between the US Government and a community of security research experts.

CIS Controls constitute a set of practical defenses curated by a community of IT experts based on their real experience in the area of cyber security.

Which Risk Management Framework Is Right For My Organization?

Risk management frameworks come with a set of guidelines that can be customized to the security needs of your organization.

There are a number of such frameworks designed to serve specific requirements depending on the tolerance levels of your IT systems, environment, priorities, risk categories, and risk response strategies.

When you make the decision to choose a framework keep the following aspects in mind:

• Review the existing risk management processes and evaluate the effectiveness of such processes. Is it in the formative stage? what’s the maturity level? Is it repeatable? How does it fare among competitors? Such introspection helps in understanding which framework is in alignment with the processes already in place in your organization. Understand how a framework defines the objectives and the controls that should be in place.
• Examine the compliance requirements of your organization and understand the technology landscape in which your assets reside. You can thus choose the most appropriate framework that promises to cover those compliance and regulatory requirements.
• Take an inventory of the technology assets including development tools, software, data infrastructure, service models, and so on. Acquiring this insight will help you look for specific guidance around these assets in any prospective framework.

How To Implement A Cyber Security Risk Management Plan

Step 1: Assess Cyber Security Risks

Start by conducting a security risk assessment.

Depending on your organizational requirements and objectives, choose the best approach, which can be quantitative, qualitative or a combination of both.

A quantitative approach gives you insight into the financial impact a particular risk brings, while a quantitative approach gives you visibility into the organizational impact in terms of productivity.

A risk assessment can be conducted at the strategic level or at the tactical level as described in the NIST Special Publication 800-30.

The first and foremost task in the security risk assessment process is to create an inventory of all assets and lay them out based on priority and importance and the nature of such information.

Get a buy-in from all stakeholders and come to an agreement on how to classify the informational assets.

Step 2: Prioritize Cyber Risks

Determine what data is accessible and to whom, and the ways it can be breached.

With the IT landscape widening and with organizations adopting newer technologies and different modes of conducting business such as shared infrastructure or third-party services running atop an existing software stack, data loopholes can live in the most unexpected territories.

In addition to the transforming landscape, a plethora of compliance policies coupled with regulatory practices reinforce the importance of identifying every possible security incident or data breach that can surface in the infrastructure web.

Once you’ve identified the informational assets and classified them, identify the potential threat channels.

As we maneuver along the dynamic threat landscape it’s important that we keep ourselves up-to-date on the triggers and controls and evolve to devise different strategies to counter these threats with the changing needs.

Data security incidents range from external attacks, malicious users and software, vulnerabilities introduced as a result of negligence, natural disasters, and insider threats.

Security breaches lead to revenue loss, reputational damage, legal implications, interruption of business continuity and the list goes on.

Identify vulnerabilities through scanning, penetration testing, and auditing controls.

Vulnerabilities live on the network or the application and are weak spots that go unnoticed because of oversight and lack of agility to take note of system flaws.

With more and more companies hosting and running their applications on the cloud, the chances of introducing such weak spots are high.

The kind of threats that target such vulnerabilities are external, internal, structured, and unstructured threats.

Step 3: Identify Cyber Security Risk Prevention And Mitigation Strategies

Once you’ve assessed the information assets and have identified potential security threats associated with those assets, it’s time to devise mechanisms to avert the threats you’re likely to encounter.

Deploy Security Monitoring Tools

Deploy all necessary infrastructure and security solutions that can automate the surveillance for you. This is an essential step in managing your network’s security.

Think like an intruder and narrow down on the possible ways your IT infrastructure and assets can be attacked.

Tap into the weakness in your environment to detect vulnerabilities and devise a continuous security monitoring (CSM) strategy.

Deploy Security Information and Event Management (SIEM) tools that have User Entity and Behavior Analytics (UEBA) capabilities such that you can keep a track of evolving threat landscapes as well as secure your organization with regulatory compliance and reporting competence.

Create a cyber security mesh focused on securing the devices and nodes in your network.

Implement A Patching Program

Put in place a comprehensive patch management program for keeping all the software up-to-date and implementing patches as and when they’re available from respective vendors.

The patches address gaps within applications that could serve as a launchpad for attackers.

Enforce compliance from employees and push the updates automatically.

Prioritize updates based on the risk quotients and make sure they’re run on test systems to prevent unwarranted risks before the actual implementation.

Implement A Data Backup Solution

Data is one of the most valuable assets to an organization. It should be treated with utmost care and attention.

Make sure there’s a proven strategy to back up critical data within a secure environment and that which can be rolled back in the event of a corruption or system failure.

Automate the backup process and encrypt the backed-up data. For mission critical data, deploy a 3-2-1 backup strategy where you create 3 copies of the data using two different storage types and one being offsite.

Consider Staff Augmentation

You could choose to outsource your security needs to a trusted and managed security services provider who will take the responsibility of managing and securing your IT systems.

While doing so, make sure that they adhere to policies of security and compliance of system data.

With the proliferation of distributed networks and increased mobility of businesses, and decentralization, enhanced security measures have become the need of the hour.

Implement Security Based Technology

Cloud based enterprises are moving toward Firewall as a Service (FWaaS) that offers firewall as a cloud-based service giving you the flexibility to either partially or fully move the security enforcement to the cloud.

Software-defined wide-area-network (SD-WAN) is another solution for connecting distributed cloud providers into a single global firewall instance while you only need to worry about a single firewall entity to secure your assets.

Implement A Security Awareness Program

Despite all these measures, data can still be compromised if measures are not taken to create awareness about cyber security among the workforce.

Human error still figures among the top reasons for data breaches in 2021 and the figure continues to remain so.

It’s imperative to inculcate a culture of security awareness and hold employees accountable for non-compliance.

Simple tactics such as social engineering, phishing, authentication breaches and so on can be avoided if employees take cognizance of such symptoms and take appropriate remedies and route and report incidents through the security compliance channels.

Cyber Risk Management – Final Checks

In this article, we’ve reviewed how to manage risk and introduced the various stages involved in preparing a cyber security risk management plan.

When developing a risk management plan for your organization consider the following:

Plan For And React To An Attack

A good risk management plan should include steps to react to an attack by clearly defining the roles and responsibilities of each actor involved in response to a security incident.

Clearly document a standard operating procedure that details the hierarchy of reporting and share it with stakeholders.

For instance, security teams should inform the CISO about a breach. Depending on the severity of the incident, the legal teams should be notified if there needs to be external communication.

If the incident can be contained within the organization, internal teams are notified.

Document the types of activities that constitute a security event and the criticality levels of each – for example:

• What does a data breach imply?
• How can you identify one?
• What are the signs to look out for and how to initiate a response?

Define how security threats can be isolated, investigated, and remediated.

With the complicated IT systems and advancements in the way hackers have been prying, a more concerted approach is necessary when it comes to modern-day cyber attacks.

Conduct On Going Security Risk Assessments

Security risk assessments help us evaluate where we stand in terms of preparedness when there is an actual threat.

Your risk management plan should account for an ongoing risk assessment plan.

Determine when, why, and how you want to perform an assessment and draw up a cyclic process that will cover assessment, redressal, and re-assessment

Depending on the purpose of the assessment, define a recurring schedule to conduct risk assessments.

It could be when there is a change in the working model, or with a new acquisition, or in response to compliance requirements.

In addition, conduct assessments to examine the workarounds and remediation performed with any recent security incident.

Account for various opportunities for conducting a risk assessment.

Define the scope and objectives of risk assessments and how to act upon the outcome of the discoveries.

Share the key findings with stakeholders and look for extraordinary findings.

Plan for security incident simulations and talk to peers in the industry about what’s trending and how certain threats can be contained.

Regular Review Of Policies and Controls

During the review of information security policies, map the actual practices of the organization with the policy guidelines.

When you review and audit a policy you may have to address factors that have emerged newly or discard rules that are not relevant anymore owing to changes in processes.

An audit also helps you identify areas that need stricter enforcement of the cyber security policies.

Ensure policies are up to date and conform with the latest security trends and framework requirements.

With the nature of threats evolving, increased adoption to cloud computing, and regional regulatory compliance being enforced, enterprises are being compelled to review and update their security policies more often.

A systematic and regular review will help in evaluating your company’s security posture and preparedness. Revisit the policy review schedules and alter them where needed.

Pay special attention to encryption and account policies as best practices change more frequently with the relentless change in the cyber security arena.