Your Guide to Pragmatic Risk Management

In an increasingly digital world, corporate IT systems and data have never been more indispensable.

Your digital assets are essential for operations, productivity and competitiveness, but they are also potential targets for cyber attacks.

With increasing threats such as data breaches, ransomware attacks and other cyber threats, cybersecurity and risk management are becoming increasingly essential for all businesses, regardless of size or industry.

But where do you start? And which solutions should be prioritized?

This guide will give you an insight into our pragmatic approach to risk management, step by step.

We show you how a starting point of risk and a starting point in a broad framework can give you a complete overview of your vulnerabilities and cyber risks.

In this way, you will build a decision-making base that can bring IT and management together to prioritize optimally and thus make the most of your resources.

Step 1: Identification of Critical Assets

When dealing with cybersecurity, it must be remembered that not all assets have equal value. Some are simply more crucial to your business than others.

Therefore, we start by identifying and prioritizing the critical assets. Typically in the form of data and systems.

This step is all about gaining an in-depth understanding of your organization's digital landscape. It involves not only the IT department, but also all other departments in your organization. From sales to HR, accounting to customer service, each department has its own unique role in the digital infrastructure.

With collaboration across your organisation, you get a holistic view of your digital assets and associated processes.

The next step is to classify these assets based on how critical they are to the company.

We divide them into high, medium and low priority. High-priority assets are those assets whose compromise will have direct and serious consequences for your business. Medium- and low-priority assets are less critical, but still important for day-to-day operations.

As you dive into the task of identifying and classifying your critical assets, a new clarity begins to emerge.

You will begin to understand the consequences of a cyber attack for your organization, which provides a marker of where the focus should be to protect and minimize risks.

With a starting point of risk, this way you can use your resources more efficiently.

It's a pragmatic exercise in identifying which assets really matter to your business, so you can prioritize protecting the most important thing first.

This is the first milestone on your journey towards minimizing cyber risks via pragmatic risk management, which can shape your cybersecurity strategy going forward.

Critical Asset Identification Example

Here's an example of how a company has identified and prioritized their digital assets.

At first glance, it may seem simplistic and trivial, but it provides a good context to be able to communicate what you are actually protecting with your cybersecurity.

When making decisions with a non-technical management, a simplistic overview can be worth gold.

Step 2: Vulnerability Assessment

Once you have identified and prioritized your most critical assets, the next step is to understand where you are most at risk. This involves a detailed assessment of your vulnerabilities.

A vulnerability can be defined as a weakness in your digital landscape that a hacker can potentially exploit to cause damage.

These vulnerabilities can exist on many levels - from lack of software updates to inadequate employee training.

Clear starting point via the NIST Cybersecurity Framework

Here, we use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess vulnerabilities.

Recognized as an industry standard in cybersecurity, the NIST Cybersecurity Framework provides a structured, systematic approach to finding, classifying, and prioritizing vulnerabilities.

The framework consists of five pillars that divide various cyber competencies according to context and situation:

• Identificar: Identify which assets and processes need to be protected and optimized
• Protects: Implement the necessary measures to protect infrastructure and data
• Detect: Monitor, detect and crack down on the sites where incidents and cyberattacks occur.
• Respond: Have the skills and preparedness ready to respond to incidents and cyber attacks.
• Recover: Be able to restore data and systems with a complete backup strategy and plan for restore.

This means that it is broad and ensures that you assess your vulnerabilities all the way from before an attack occurs to how you come back after it has happened.

In this way, you incorporate a holistic starting point for assessing your vulnerabilities, ensuring that you get it all in.

NIST Cybersecurity Framework as a Visual Tool

We also use the framework as a visual tool to communicate vulnerabilities via a scorecard. However, we have modified the competencies in NIST CSF so that it is adapted to our Danish way of working with IT. It looks like this:

The different layers of the framework pull the otherwise often complex discipline, cybersecurity, down to eye level so that people other than IT experts can keep up.

So if you sit with a layman from management, then you can stay on the layer with the pillars and dip your toes into some of the underlying competencies.

In the IT department, you can then go all the way and implement solutions according to the more technical security controls.

This visibility of the company's weaknesses makes the framework an effective tool for providing management with an understanding of the need to prioritize IT security.

But how do you assess your vulnerabilities?

There are 28 competencies to assess in the framework, and for each competence there are a lot of controls and standards to deal with. So it takes some time to get through.

Our method has been to set up a questionnaire framework in which controls and our own experience have resulted in over 150 evaluative questions. The answers are assessed and assigned back to a score that can provide the visual overview.

In order to have the best conditions to succeed, you should make sure that:

• Representatives from both IT and management are included in the process to gain the best insight. It also provides greater inclusion for the subsequent execution.
• There is a thorough understanding of what the controls in the framework entail. Without this, evaluation will be almost impossible.
• The controls have been formulated into relatable issues that can be understood by the surveyed stakeholders. Controls can be cryptic and inconclusive, so use your experience to make it as relatable as possible.

Step 3: Calculating Risk

Now that we've identified our critical assets and assessed our vulnerabilities, it's time to dive into the calculation of risk.

In this phase, we move from a technical analysis to a more qualitative approach, in which we analyze and calculate the risk associated with the identified vulnerabilities.

A basic method of calculating risk is to use a risk matrix. A risk matrix is a tool that helps us quantify risk by assessing two key factors: the probability that a given event will occur and its consequences.

Probability: The first element a risk matrix assesses is the probability that a given event will occur. By considering different threats and their likely frequency, we can get a clear picture of where our attention and resources can most effectively be directed.

Consequence: The second crucial element of a risk matrix is the consequence of the occurrence of an event. It's not just about how likely it is that a threat will materialize, but also about how much damage it can cause. By assessing and ranking various threats in this way, we can ensure that we are fully prepared to deal with the consequences that may arise.

The formula for calculating Risk

Risk = Probability X Consequence

This is the basic formula for calculating risk.

Probability is how likely it is that a particular risk will materialize, while the consequence is the potential harm that will occur if the risk materializes.

By multiplying these two factors together, one can obtain a numerical assessment of risk, which can be used to prioritize different risks and from there assess where resources can best be used to minimize risk exposure.

Our scale looks like this:

• Low Risk 1-4 (Green)
• Medium Risk 5-11 (Blue)
• Critical 12-16 (Red)

Visual example in practice

Risk = 12: Crashes and data leaks due to ransomware attacks

Probability 4: Very high

Consequence 3: High

This multiplies the probability (4) by the consequence (3) to arrive at a risk of 12, which indicates that the risk is at a critical stage and should be prioritized.

By combining the identification of our critical assets, the assessment of our vulnerabilities, and our calculation of risk, we can form a complete picture of the security of the digital landscape.

This is crucial for the next step -- where it's about managing one's risks and making decisions accordingly.

Step 4: Managing Risks

Once we have a complete overview of our cyber risks, it is time to take a step towards addressing those risks. This is where we make the decisions that will affect our organization both in the short and long term.

Let's take a closer look at the four basic strategies for managing risk:

1. Avoid risk: This strategy is about eliminating risk entirely. It may be by stopping certain activities that expose us to the risk.
2. Transfer risk: Transferring the risk means delegating responsibility for the risk to a third party, which could be an insurance provider or a supplier. In this way, you transfer the risk of another party taking responsibility.
3. Reduce risk: This is where you step in and try to reduce risk by implementing security measures. The aim is to reduce the risk to an acceptable level. Security measures typically consist of solutions that go directly in and minimize either the likelihood or consequence of a cyber threat.
4. Accept risk: Sometimes accepting risk can be more cost-effective than expending resources to avoid, transfer, or reduce it. Typically, this strategy is used if the risk is already at a low level. In these cases, it is important to have a clear plan for how to deal with potential consequences, since by this strategy you fail to do more.

The choice between these strategies depends on many factors, among them the organization's risk appetite, resource constraints, and organizational priorities. By combining these strategies in an effective way, a comprehensive and pragmatic approach to risk management can be created.

And remember, risk management is not a one-time event, but an ongoing process. This leads us to the final step: Ongoing risk management.

Step 5: Ongoing Risk Management

We have now reviewed the process of identifying, assessing and managing our risks. But risk management is not a one-time event. It is a continuous process that requires continuous maintenance and updating.

So, what does it look like in practice?

1. Delegate responsibilities and roles: The first step is to ensure that there are clear roles and responsibilities within the organization. It should be clear who is responsible for each risk, who makes the decisions on risk management and who facilitates the execution of the chosen strategy. Specifically, it is a good idea to involve senior leaders and set up regular meetings to create a firm structure.
2. Make and reconsider decisions: As mentioned earlier, risks can change over time and it is important to adjust our strategies accordingly. It may be that new threats occur and you have to prioritize differently, or you have lifted your vulnerabilities and have to adjust your priorities anew. Ongoing risk assessment ensures that we do not overlook new or changed risks and that we are able to adapt our risk management quickly and efficiently.
3. Dedicate budget to cybersecurity: One of the biggest fallacies in risk management is the inability to allocate the necessary funds to meet the decisions made. It is crucial to ensure that appropriate financial resources are available to manage risk. This also underlines the value of being able to prioritise correctly, as it does not take your mouth full and actually reach the target with an appropriate budget.
4. Updated and accessible forum: It is also important to have a forum where risk management can be discussed and assessed on a regular basis. These can be formal meetings, online discussion platforms, simple excel sheets, or a combined format. The key is that there is a place where risk management can be discussed in an open and transparent way. In order to create such a forum, it is necessary that the work is documented and that information is constantly collected.

Following these steps will not only ensure that you manage current risks effectively, but also that you become ready to respond quickly and effectively to future challenges.

We hope this guide has given you an in-depth understanding of how pragmatic risk management works in practice. But remember that it's important to work with experts who can guide and support you through this complex process.

At Itavis, we are dedicated to supporting our clients through each stage of the risk management process. Whether you need help identifying your critical assets, assessing your organization's vulnerabilities, or if you want to outsource the entire risk management process. It usually starts with a risk assessment.

You can through the following link book a session with us — and together we can take the first step towards a safer future for your organisation.

With Itavis, your organization is always in safe hands.