*1990’s movie narrator voice*
“Some say the greatest threat to your company comes from other nations.
Some say the greatest threat to your company comes from within.”
Eden Data pictures presents: Clear and Present Risks (just kidding it’s not a movie, but it would definitely star Harrison Ford). A topic not common to cyber awareness month is a practical reminder for organizations to prioritize present risks before planning for emerging risks.
In a company’s journey to implement the best security program, risk is top of mind. Risk management is integral in order for the company to synergistically manage mitigation and avoidance of risks. Risk assessment plans are the key guide for prioritization of risk across the organization with ways to mitigate and remediate.
After creating the risk mitigation plan, here are some important practices security teams can improve upon:
- Create a strong culture around risk management: Every employee should feel like they have an influence to help maintain the security of the company. This attitude should be conveyed by top management that leads by example, generating that strong risk management culture. People should be welcoming new ideas and ways of working to reduce risk to the organization.
- Identify appropriate stakeholders: Stakeholders should be identified and own their areas of responsibility in managing risks. This could be employees, contractors, clients, and vendors. Stakeholders should be aware of current and new risks and communication should be periodic as needed.
- Communication: Communication of risks is important throughout the organization to achieve buy-in and continuous improvements by stakeholders. Frequent communication creates a culture of openness of the security program. Employees can feel welcome to have discussions with management for ways to reduce risks.
- Clear risk management policy: Employees should be able to read through and synthesize information easily in the risk management policy. This conveys to employees the priority placed on the risk management program.
- Continuously monitor and mitigate current and future risks: Use the risk assessment to define ownership of the risks as well as the risk treatment action plan with timelines of completion. Monitor the progress of treatments, and update the risk assessment upon completion. Annually review the risk assessment and treatment plan with approval of management. Monitor changes in the legal and regulatory environments impacting internal and external risk factors.
Organizations are compelled to think and plan long term to project needs for the security programs success. Our tip this Cyber Security Awareness month is simple; clearly understand and mitigate current risks using basic practices before planning for emerging risks.