What Is Technology Risk? - RiskLens

Technology (or IT Risk), a subset of Operational Risk: Any risk to information technology or data or applications that negatively impact ... CyberRiskQuantification ChallengesManagingCyberRisk EvolvingRoleofCybersecurity WhyQuantifyCyberRisk? TheFAIR™Standard Solutions ByTopic NIST-CSF+FAIR™ CybersecurityPrioritization&Justification DigitalTransformation Regulatory&Privacy ByRole Board&BusinessExecutives CISOs CIROs CyberRiskAnalysts ByIndustry FinancialServices HealthcarePayers USFederalGovernment Technology&DigitalServices Products&Services FeaturedCapabilities RapidRiskAssessment TopRiskAssessment RiskTreatmentAnalysis Products Packages&Plans Platform Services Training&Certifications FAIR™Training&Certification RiskLensTraining&Certification Resources Blog Events/Webinars CaseStudies eBooks Whitepapers Videos Company WhyRiskLens RiskLensFAIREnterpriseModel™ MeettheTeam Careers Partners News RequestaDemo CyberRiskQuantification ChallengesManagingCyberRisk EvolvingRoleofCybersecurity WhyQuantifyCyberRisk? TheFAIR™Standard Solutions ByTopic NIST-CSF+FAIR™ CybersecurityPrioritization&Justification DigitalTransformation Regulatory&Privacy ByRole Board&BusinessExecutives CISOs CIROs CyberRiskAnalysts ByIndustry FinancialServices HealthcarePayers USFederalGovernment Technology&DigitalServices Products&Services FeaturedCapabilities RapidRiskAssessment TopRiskAssessment RiskTreatmentAnalysis Products Packages&Plans Platform Services Training&Certifications FAIR™Training&Certification RiskLensTraining&Certification Resources Blog Events/Webinars CaseStudies eBooks Whitepapers Videos Company WhyRiskLens RiskLensFAIREnterpriseModel™ MeettheTeam Careers Partners News RequestaDemo Blog | Post WhatIsTechnologyRisk? June16,2021  RiskLensStaff Guides&Tips Share: WhatIsTechnologyRisk? Technologyrisk,ITrisk,cyberrisk–what’sthedifferenceamongthesecommonlyusedterms,andistherereallyadistinctioninatimeofdigitaltransformation? Generally,riskmanagementhaslookedattheworldofriskwiththishierarchy: OperationalRisk:Anyeventthataffectstheorganization’sabilitytooperate Technology(orITRisk),asubsetofOperationalRisk:Anyrisktoinformationtechnologyordataorapplicationsthatnegativelyimpactbusinessoperations.Thiscouldcoverarangeofscenarios,includingsoftwarefailuresorapoweroutage. CyberRisk,asubsetofTechnologyRisk:Losseventscenariosstrictlywithinthecyberrealm,suchasphishing,malware,databreach.  Ifitsoundslikethere’slotofroomforcrossoverinthesedefinitions,that’sright.GartnerhassuccessfullyadvocatedforIntegratedRiskManagement(IRM)thattakes“acomprehensiveviewacrossallbusinessunitsandriskandcompliancefunctions,aswellaskeybusinesspartners,suppliersandoutsourcedentities.”InGartner’sview,riskmanagementisacontinuum,asshowninthisgraphic,drivingtowardDigitalRiskManagement(DRM,ontheleft),asbusinessprocessesallbecomedigitalinonewayoranother. DefiningTechnologyRiskinFAIRTerms FactorAnalysisofInformationRisk(FAIR™)isthestandardforquantificationofcyberandtechnologyriskinfinancialtermstoenablejustification,prioritization,andcommunicationofsecurityinvestmentswithinanorganization.  InFAIRterms,riskisdefinedasthe ProbableFrequencyandProbableMagnitudeofFutureLoss  ThestartingpointforFAIRquantitativeanalysisisariskscenarioorriskstatementthataddressesatechnologyproblemthebusinessneedstosolve.Theformatis: "[ThreatActor]impacts[Confidentiality,Integrity,Availability]of[anAsset]via[SomeMethod]" Forexample: “Analyzetheriskassociatedwithanexternalthreatactorestablishingafootholdonthenetworkthroughatrustedsecurityvendor’sapplication(e.g.SolarWinds)resultinginabreachofsensitivedatainourcrownjewelasset.”  TheFAIRstandardshowsthewaytobreakthescenariodownintofactorstoquantifytheprobablefrequencyandimpactofsuchanevent,basedontheorganization’sexperienceorindustrydata.  TheFAIRmodelishighlyflexible,andstillvalidwithlesscyber-centricscenarios.  TryitNOWatnocost:OurFreeIndustryCybersecurityReportdemonstratesthepotentialfinancialcostofkeynegativecybersecurityeventslikeransomware,insidererrorandmorewithjustafewsimpleinputs.  AdditionalResources InthisRiskLenscasestudy,afurnituremanufacturerwantedtodetermineifitshouldkeeppayingtheannualsubscriptionfeeforsupportfromthetechnologyvendorforitsorderfulfillmentsystemorbringthemaintenanceofthesystemin-house. Ifanemployeemisconfiguredthesystem,whatwouldthataccidentcosttheorganizationintermsoflostsales,responsecosts,orotherimpacts?Howwouldthatcomparewiththeongoingsubscriptioncost? Scenario:“Analyzetheriskassociatedwithanon-maliciousprivilegedinsiderimpactingtheavailabilityoftheorderfulfillmentsystemviaamisconfigurationresultinginasuspensionoffulfillment.” QuantifiedriskanalysisontheRiskLensplatformbasedonFAIRshowedthatstayingwiththesubscriptionservicewouldshortenresponsetimetoanoutage,reducingtheimpacttoalevelthatjustifiedthe$1millionannualinvestment. Learnquantitativecyberriskanalysis,enhanceyourcareerinriskmanagementwithFAIRtrainingfromtheRiskLensAcademy. WhatIsanITRiskAssessment? Riskanalysisandriskassessmentaretwomoretermsthatoftenusedinterchangeablybutwithanimportantdistinction.Whileariskanalysismightlookatasinglescenario,ariskassessmentgivesabroaderlookatriskacrossscenariostosupportbusinessdecision-making,particularlytojustify,prioritizeandcommunicatesecurityinvestments.TypesoftechnologyorITriskassessmentsinclude: RapidRiskAssessment:Runaquickseriesofriskanalysestoaggregateandcompareoutcomes,forinstancetoprioritizetoprisksforresponsebasedonlossexposureindollarterms. LearnaboutRapidRiskAssessmentontheRiskLensplatform. AggregateRiskAssessment:Understandandquantifytheorganization’stotalprobablelossexposureforinformationtechnology.Gaingranularinsightsbylookingacrossscenariostospotwhichthreatcommunitiesorassettypesposethegreatestrisktotheorganization,orwhichbusinessunitscarrythemostlostexposure,relevantinsightforaCISO(chiefinformationsecurityofficer)decidingonhowandwheretotargetdefenses.  Tofullysupportbusinessdecisions,riskassessmentsshouldbepresentedwithrisktreatmentoptionsfortherisksidentified.  Arisktreatmentanalysis Establishesabaselineoflossexposurefromthecurrentsituation Runs“what-if”scenariostocomparetheriskreduction(infinancialterms)fromthecurrentstatethatalternateproposedcontrolsprocesschangescouldachieve. Mayincludeacost/benefitorreturn-on-investment(ROI)analysiscomparingthecostofnewsecurityinvestmentstotheireffectonriskreduction.  Webinar:LearnaboutRiskLensRiskTreatmentAnalysisforCost-EffectiveDecision-Making  WhatIsITorInformationTechnologyRiskManagement? Riskmanagementisacomprehensiveprocessthatrequiresorganizationsto:(i)framerisk(i.e.,establishthecontextforrisk-baseddecisions);(ii)assessrisk;(iii)respondtoriskoncedetermined;and(iv)monitorriskonanongoingbasisusingeffectiveorganizationalcommunicationsandafeedbackloopforcontinuousimprovementintherisk-relatedactivitiesoforganizations.  --NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-39:ManagingInformationSecurityRisk AsNISTadvises,thefirststepinriskmanagementisto“frame”risk,inotherwordsestablishacommonterminologyandmeasurementsystem–ideallyonebasedonastandardsuchasFAIRthatnormalizesriskvocabulary--andonquantitativeanalysisthatmeasuresriskinthefinancialtermsusedtocommunicateacrosstheenterprise,alsotheoutputofFAIRanalysis.Withrisktreatmentanalysis,organizationcanalso“respond”and,withongoingriskassessments,“monitor”throughariskdashboard. CompliancewithITRiskManagementFrameworks  Manyorganizationsmakeinformationriskmanagementalessthan“comprehensive”processbyfocusingoncompliancewithframeworks–treatingpublicationslikeNIST800-39thatrecommendvarioussecuritypracticesorcontrolsaschecklists,ontheassumptionthatthemorecontrolsimplemented,thelowertherisk.Withoutquantitativeriskmeasurement,however,that’sanunprovableassumption.  Theframeworksaregoodfoundationalguidesforasecurityprogram.Buttheirstrictlytechnicalapproachtocybersecuritycan’tbefullyalignedwithbusinessneeds,suchasdeterminingsecurityinvestmentsorcommunicatingtheneedforbudgettothebusinessbasedonROI. TypesofRiskManagementFrameworks  ControlFrameworks >>TheSANSCISControlsisabasiclistofcybersecuritycontrolsthatshouldmitigate80%ofattacks.NIST800-53isanextensivelistofcontrolsthat,practicallyspeaking,noorganizationwouldeverimplementinentirety.  Note:FAIRisincludedinthe SANSCISControlsposter aspartoftheFiveKeysforBuildingaCybersecurityProgram. ProgramFrameworks >>ISO27001bringsinbusinessrequirementstoacontrolslistbutdoesn’tprescribeaspecificapproachtoanalyzingrisk.ThepopularNISTCSFmapsspecificcontrolstoeachcybersecurityfunctionforagoodtechnicaloverviewofariskmanagementprogram. Note:TheNISTCSFincludesFAIRasan“informativereference”amongitsrecommendedcontrolsandprocesses. Neitherthecontrolsframeworksnortheprogramframeworkscananswerthebasicquestionsforbusinessdecision-making,suchas“ifweinvestinonesecuritycontroloranother,howmuchlessriskwillwehave?”FAIRcomplementstheframeworksbyprovidingthemissingquantitativeriskanalysis.  TechnologyRisk,BusinessContinuityPlanningandResilience  Largeorganizationsoftencreateabusinessimpactanalysisstatement(BIA)tounderstandthelinksbetweenprocessesthatdrivethebusiness,andtheprobableoutcomesofoutagesduetoman-madeornaturaleventsthatmightsignificantlyinterruptoperations.Forinformationtechnology,thatmeansbusinesscontinuityplansshouldprioritizeITresourcestominimizetheeffectofanoutageonthebusiness.Typicaloff-the-shelfBIAs,however,sharethefaultofothernon-quantitativeriskassessments–theycan’tcommunicateriskinbusinessterms.Learnhowoneorganizationraisedtheirgameonbusinessimpactanalysis: CaseStudy:HealthcareSupplierUsesRiskLenstoIdentifyBestBusinessContinuityStrategy Ransomware:WhereCyberRisk,TechnologyRisk,OperationalRiskandEnterpriseRiskConverge TherecentransomwareattacksonColonialPipeline,thefueldistributor,andJBSUSA,themeatpacker,twoownersofcriticalinfrastructure,quicklyjumpedtheincreasinglyirrelevantlinesamongriskdisciplines.  IntheColonialPipelinecase,thecompanychosetoshutdownfuelshipmentafterransomwarehittheirbusinesssystems.DetailsfortheJBSUSAcasearen’tyetclear—whethertheransomwarepenetratedtotheiroperationalsystems,orthecompanyalsohaltedproductionlinesoutofcaution.  Eitherway,acyberriskquicklyescalatedthroughtechnologyrisktooperationalriskandultimatelyarisktotheenterprise,potentiallyinmaterialimpactonthebottomlineandcertainlyreputationandperhapslegalandregulatoryimpact. TheNationalInstituteofStandardsandTechnologyrecentlyreleasedIntegratingCybersecurityandEnterpriseRiskManagement (NISTIR8286)toadviseorganizationsondealingwiththisnewriskreality. ThepublicationcalledoutFAIR,asarecommendedtoolto“betterprioritizerisksorpreparemoreaccurateriskexposureforecasts”inariskregister.NISTIR8286alsoendorsedmanyofthestandardpracticesofFAIRanalysis,includingriskprioritization,riskscenariomodeling,MonteCarlosimulations,and,ofcourse,quantificationofcyberriskinfinancialterms. Learnquantitativecyberriskanalysis,enhanceyourcareerinriskmanagementwithFAIRtrainingfromtheRiskLensAcademy. Share: Stayup-to-datewiththelatestinsightsandblogpostsfromRiskLens. RecentBlogPosts ViewAllBlogPosts What'sRiskManagementMaturity? Guides&Tips ReadMore BuildorBuyanApplicationtoRunFAIRCyberRiskQuantification? Guides&Tips|IndustryInsights ReadMore HowtoHelpYourCFOTakeOutCostWhileOptimizingYourCybersecurityStrategy Guides&Tips|IndustryInsights ReadMore