Understand, Manage, and Measure Cyber Risk by Unknown

Author:Unknown
Language: eng
Format: epub, pdf

CHAPTER 5

Manage the Problem

Introduction

With the core problem understood, establishing and managing a cyber risk program becomes infinitely more focused and effective. Bring management into focus with a known framework (as a guide, not a solution), structure the management approach in accordance with the program, and set a review

cadence to ensure your management approach remains relevant.

With time invested in exploring and categorizing crucial organizational assets and a crisp cybersecurity goal articulated, the problem being solved is, at the very least, understood: cybersecurity risk to critical assets. Now, managing1 that cybersecurity risk has a better chance for success than managing without a clear understanding of the problem.

Organizations can certainly struggle with even the most basic steps

in starting a cybersecurity risk management program. There is pressure

from the oversight level to demonstrate and articulate how the risk is

being addressed. There is pressure from the executive level to demonstrate a clear mitigation strategy for the cybersecurity risks known within

the organization. There is pressure from the top management level to

prioritize, resource, and complete planned initiatives. There is pressure 1 Keep in mind that managing the risk provides a clear path for measuring the successful management of cybersecurity risk as well, since the “what you are measuring” needs to be clear before measuring. Successful management relies heavily on feedback metrics, so the next chapter covers the specifics on “how to measure.”

© Ryan Leirvik 2023

85

R. Leirvik, Understand, Manage, and Measure Cyber Risk,

https://doi.org/10.1007/978-1-4842-9319-5_5

Chapter 5 Manage the probleM

from the middle management level to demonstrate clear progress on

stated goals. There is pressure from all levels of engineering to get the problem solved appropriately (i.e., not just for the satisfaction of executives or managers). There is pressure from within to discover and prevent what an attacker may target next. The one typically bridled with this pressure?

The chief information security officer.

The simple fact that cybersecurity is still fairly new and examples of

how best to manage it are also new exacerbates this pressure. Each of

the levels mentioned earlier can have varying degrees of experience on

successful cybersecurity programs. As experience progresses, so does this understanding of the problem and the relevant programs that help. This

means that the best practice for managing an overall cybersecurity program has not yet been established. Each person at each level offers differing insights into how best to solve the problem the way they understand it. This is typically where management approaches clash and where the added pressure of politics enters; which particular party of ideas is the one not to upset? 2

The starting point here is to focus on the overall program before

jumping into managing each risk or each category of risks. Some simple

rules exist when it comes to establishing a program:

• Focus on one framework to start.

• Structure the management approach along the

program framework.

• Set a review frequency for the overall program.

• Prepare to respond and recover from an event, as part

of the program.

2 Arguably, in faultless organizations, the solution that best solves the problem is the focus, reducing the need to consider the swaying influence of those who have achieved power with the organization.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.