…But I am suggesting security professionals replace spreadsheets with a better way - I've been the caveman to the right for too long.
When managing security risks three things are important:
Keep it simple – and help your organisation understand the “why” through involvement
Link risks to mitigating measures. Keep it simple and scalable, and
Put effort into implementing those measures. This is where you add value and reduce risk
We are trying to give security professionals an updated overview across multiple sites and allow you to involve the organisation (back to the “why”) by delegating and measuring on the implementation of measures in one single platform. If you are curious about how we do that please contact us for a demo at www.humanrisks.com or send me a message.
Lucky for us, not all say “No thanks!” One of our customers - a major player in the food industry with sites in most parts of the world – said this about Human Risks in a recent interview:
» Human Risks enables us to decentralise the security risk management process, which helps us empower local management to take ownership. It increases the effect of what we are doing and reduces our costs substantially.
There is - for many good reasons - much talk about cybersecurity and if you are not an expert (which I am certainly not - but I have skilled people helping me with this) it can be difficult to navigate the jungle of technical terms and assess the vulnerabilities and level of risk in what is a multi-billion ($) industry.
In our company information security is something we take extremely serious since our product and only distribution channel is online, which is why protecting our customers' data is embedded in everything we do - the life of our company depends on it.
Without getting too deep into technical jargon the protection of data in Software as a Service is primarily centred around three entities and the connections between them; 1) the hosting environment, 2) the vendor's internal set-up and 3) the end-users’ IT-environment.
If your SaaS-vendor is using one of the top two or three hosting partners you are sure they adhere to the most rigorous security requirements on hosting but you should also explore if:
APIs and connections are encrypted (AES 256)
all databases are encrypted and decrypted in real time
how often backups are done
a redundant set-up/offsite replica (a secondary mirroring of the data, which can take over if the first goes down) is in place, which is not given unless your vendor specifically has chosen that solution (and pays for it)
the vendor’s own access to the production database is limited i.e. to on-premise IP-numbers to ensure that access to the most vulnerable point is restricted and that both the digital and physical access to computers are managed carefully.
One element that is out of the vendor’s control is the customer’s behaviour and systems. The UK Government provides us with good advice on 5 actionable cybersecurity controls provided by The National Cyber Security Centre.
The two-factor authentication mentioned in advice number 2 is an effective way to close a gap where the vulnerability of the user potentially can have big (read: extreme) impact. You probably know it from payment systems where you have to receive a code on your mobile device before being able to complete a transfer.
At Human Risks, we have implemented two-factor authentication free of charge for our customers to use so that we are as certain as we possibly can be that it is the right person with the right authorisation to log in to our platform. With two-factor authentication, we have reduced the risk of negligent password behaviour being exploited substantially and closed a potential vulnerability on our customers’ side.
Any important points about the vulnerabilities of SaaS and how to mitigate them I have left out? If so - don't hesitate to comment.
If you are interested you can download our IT Security White Paper here...
Mitigating measures that support the objective
Security risk management is ultimately about prioritising available resources. All the hoops security professionals go through to assess threats, vulnerabilities and risk levels are at the end of the day for them to be able to single out what threats should be countered by which measures in which order.
It is a very positive tendency that the security risk management community increasingly has been focusing on "enabling". An attempt to ensure that one's own effort is in line with the organisation's strategy and objectives and that you support and strengthen rather than limit. In other words, the security manager can go from being the "naysayer" to saying "yes we can do that - if..." and even add competitive edge through how security risks are managed; the footprint you leave, the international standards you comply with, the ability to integrate with your customers' organisations (how can we add value to our customers' customers?) or the information you are able to deliver - the possibilities to enable and strengthen the organisation are many.
That is why two of my areas of focus has always been to:
1) involve relevant stakeholders (get inspiration on the "how" with the power-interest grid by Eden & Ackerman, 1998) in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could - in the long run, you'll have a much greater impact. Remember that "effect = involvement x quality" and if you have to change how people work - involvement is key.
2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it's all about - implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business "Project Management" that will change things "where the metal meets the meat" or in business language - where you meet your customers' needs.
To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.
The author is the CEO & Founder of "Human Risks" - an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on www.humanrisks.com
OK - the list is just some of the observations I have made and is of course not complete - but hey what don't you do for a catchy headline?
These are some of the positive (side) effects that I have seen come from implementing a structured approach to managing risks:
Awareness - The increase in awareness you can create internally in an organisation is the most important gain. People start discussing what makes a threat and how dangerous it really is (risk). How the organisation's objectives are tied to potential risks and how managing them can either allow them to reach their objectives or even gain competitive advantage by doing so. Awareness is still one of the most important factors if you want to manage risks because it all comes down to affecting human behaviour and when people gain an understanding of potential risks based on facts and feel they are heard and involved in a "bottom up"-approach they are much more likely to adapt their behaviour and embrace "corporate policies" because they are partly their own.
Resources - Mapping potential risks and discussing which to counter to which degree is basically a discussion about prioritising resources. The process gives organisations a clear picture of what is at stake both in terms of impact (people-assets-reputation) financially and in terms of business strategy, which allows them to make informed decisions on what risks to take and how to mitigate them. The decisions should be compared to the objectives of the business and either support reaching them or setting new ones.
Focus - When you are making an effort to know your current and emerging risks and how to handle them it gives a calm and overview that allows the organisation to focus on their key objectives - delivering the services and products to their customers, which to my best knowledge risk management is all about supporting!
What are your experiences? Any points I have blatantly left out? (Read the comments on LinkedIn)