While many popular frameworks are known to drive value to organizations seeking to improve their risk management posture, customizing key elements to consider your company’s maturity, culture, strategic priorities and threats is a winning combination.
To develop and deploy an effective cybersecurity framework, the key is to start with a foundational framework and then customize additional elements or components so that it best aligns with your organization.
This piece details how to customize a foundational risk framework to ensure it aligns closely with your organization’s priorities.
Choosing a Risk Management Framework
Developing a risk management framework for your organization is essential for equipping your leadership with the information it needs to make decisions that allow a healthy balance of risk management and innovation. Most organizations start by choosing
a foundational framework, such as NIST, ISO or CIS, that best suits their organization both as it is today and where it plans to be in the future.
For example, technology has rapidly become a critical part of how businesses operate and deliver value to their customers. For technology-centric organizations, the NIST framework (with its outcome-based approach) is often quite relevant and a good starting
point. On the other hand, ISO is globally recognized and commonly used by organizations that collect sensitive information. It is often required by vendors and can be a good foundation for data-centric organizations.
However, beyond considering these basic criteria, you should take other additional steps to ensure the framework you choose is best suited for your organization’s needs.
READ: Risk Management Terminology for InfoSec Teams
4 Steps to Risk Framework Customization
As you begin to develop your framework, it is important to consider key foundational components about your company and how they inform the framework that is chosen and how it is used.
1. Focus on the Organization’s Mission Statement
First, become familiar with the company’s vision and mission statements. These are important because they provide insight into what the company aspires to accomplish (vision) and how it plans to work to get there (mission). Understanding what the
company aspires to be and plans to do is critical because it will influence the activities of key leaders and their teams. It will also help refine your framework so that it positions leadership to shape well-constructed strategic plans.
For example, Amazon’s mission statement is, “To serve consumers through online and physical stores and focus on selection, price and convenience.” As such, Amazon’s leaders would benefit from having a strong third-party risk management
program, structured approaches to pricing and a mature privacy program, in addition to be being tuned into customer sentiment.
2. Do a SWOT Analysis
The second step is to create an inventory of your company’s strengths, weaknesses, opportunities and threats (SWOT) to help identify other core areas to focus on.
The SWOT analysis should be performed for key business areas commonly mapped out as front office, back office, technology, compliance, finance and people functions. The results of the exercise often highlight opportunities for focus in the risk framework,
including fraud, customer sentiment, product development challenges and noncompliance with rapidly evolving regulations related to privacy or money movement.
3. Assess Your Security Maturity
Next, assess your organization’s level of maturity as it relates to information security. You can do this by interviewing your CISO and information security domain leaders and reviewing incident history trends over the past three years. Partner
with the head of your security operations function and review the most recurring incidents and their root causes. For example, supply chain attacks are on the rise, so it’s a good idea to speak with the leader of your third-party risk management function to determine how well vendors are managed.
Based on your findings, use best practices that focus on these areas to supplement the larger framework you end up selecting for your organization. For example, if you find your organization has high third-party risk, it would be great to complement your
plan with NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
4. Pay Attention to Culture
Lastly, be mindful of your company’s culture. How are decisions made? How has the business’s relationship with information security evolved? Assess whether your organization tends to operate in environments that are more structured or flexible.
Cybersecurity risk management frameworks tend to be quite similar in what they seek to accomplish, but the methodologies vary. While NIST is known for being flexible, CIS takes a much more prescriptive approach and ISO offers a globally recognized certification
and is a good option for more mature organizations.
READ: Build a Strong GRC Maturity Roadmap to Align with the Business
Tips for Choosing a Risk Framework
Being intentional about the risk framework you choose for your organization is wise. And the key areas outlined above are critical in deciding the approach you’ll take. Remember to:
- Be future-focused: Start with your company’s mission and vision.
- Consider your current posture: Perform a SWOT analysis to determine areas that may need increased areas of focus.
- Reflect on culture and maturity: Both are significant contributing factors to finding the right risk framework fit.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.