Cybersecurity Risk Management: Best Practices & Frameworks
Learn about the key concepts and processes of cybersecurity risk management, including identifying high-value assets, aligning with industry best practices, and implementing controls to protect confidentiality, integrity, and availability of information assets.
Get Started With Drata
Cybersecurity is a buzzword that can mean different things to different people. Effective risk management, however, requires understanding cybersecurity and establishing the right scope and holistic problem-solving approach.
Where should a company start addressing its cybersecurity risks? What are the boundaries and objectives? What elements are under the organization’s control?
This article examines cybersecurity risk management, decomposing the concept into processes, steps, approaches, and tools that companies can use to integrate cybersecurity into their risk management frameworks.
Concept | Summary |
Security principles: confidentiality, integrity, and availability (CIA) | Understanding cybersecurity boundaries and the applicable risks and controls aids in scoping risk management. |
Identifying high-value assets | Critical assets hold the highest value for your organization—as well as for threat actors. |
Aligning with industry best practices and cybersecurity frameworks | Use off-the-shelf standards and tailor them to your environment to manage and mitigate cybersecurity risks. |
Learning threat modeling | Methodologies such as STRIDE identify attack patterns to determine concrete cybersecurity risks and appropriate controls. |
Performing vulnerability assessments | Knowing where vulnerabilities reside across your environment enables security teams to implement risk-based prioritization strategies when approaching remediation. |
Implementing controls | Cybersecurity controls address various risks and include access management, network security, secure configurations, and logging and monitoring. |
Accepting certain risks | Cybersecurity risks should trigger a risk response per the organization's risk management framework. Sometimes, this response will be "acceptance." Document the decision and monitor the risk continuously. |
Keeping up with regulations | Yes, regulations are catching up! Jurisdictions are starting to harmonize the approaches to cybersecurity in both the private and public sectors. |
Blending in automation and compliance | How about having automated evidence collection or centralized cybersecurity requirements? It’s all possible. |
Two short, official definitions are:
“The process of protecting information by preventing, detecting, and responding to attacks” and “the ability to protect or defend the use of cyberspace from cyber attacks.”
When considering terms like “cybersecurity,” “information security,” “IT security,” or (more recently) “digital trust,” recognize that they are often used interchangeably, and there are even strong debates on which term is most correct. Terminology aside, it boils down to securing an organization’s information assets.
In this context, “CIA” describes the three main attributes of information security: confidentiality, integrity, and availability. These attributes must be protected at all times. For example, sensitive information sent to the wrong recipient could mean a breach of confidentiality. A financial report modified without authorization impacts integrity. System downtime is essentially the loss of availability.
Cybersecurity risk management, along with its related controls, is built around this concept.
A company’s “crown jewels” are its most valuable assets, and these days, the “criticality crown”, or the highest value, is typically taken by information. Information assets can encompass endpoints (laptops, mobile phones, office equipment, storage media), cloud software and services, networks, third parties, and anything else that needs a network connection to support business and its operations.
Building a comprehensive cybersecurity strategy would be of little value for a small business offering local warehouse storage for furniture pieces, for example. Some physical security measures may be deemed sufficient in this case. However, most businesses cannot operate without information assets.
Information assets are not just business applications but operational tools, network components, databases, and even physical assets such as cables, Wi-Fi access points, CCTV devices, and so on. Even if most of these are outsourced, the company is still accountable for securing the data processed through them, and any materialized risk can be reflected in financial, reputational, and operational losses.
Almost every risk nowadays has a “cyber” angle. A company that understands how heavily it relies on information must identify its most critical information to determine how the risks will be managed.
When dealing with risks of any kind, it’s a great idea to utilize relevant frameworks, which are created with the help of security practitioners who understand the discipline. Fortunately, there are a few solid frameworks for cybersecurity, and you should utilize the ones that best suit your company’s needs and are widely recognized and trusted. Here are a few good references.
NIST’s CSF acts as a parent framework for other topic-specific standards. Currently at version 2.0 (with a major update published in 2024), CSF is suitable for companies of all sizes, both public and private. Risk managers and security practitioners worldwide use it to manage and reduce cybersecurity risks.
Another up-to-date standard, ISO 27001:2022 is a pillar for helping an organization build its information security management system (ISMS). With 10 clauses and 93 controls available in the connected document, along with guidelines for their implementation, ISO 27002:2022 lets companies confidently build their cyber-defense programs.
An ISO 27001 certification is also possible, demonstrating an organization’s commitment to information security and risk management to customers, regulators, and other stakeholders.
The Cloud Security Alliance has a comprehensive list of controls that companies can use as a basis for their third-party engagements and for conducting due diligence. These controls cover all areas that could be managed in a relationship with a cloud provider, agnostic of the service model.
Companies can use the CCM to define requirements for their cloud service providers (CSPs) in the areas of access control, data center security, virtualization, integration and portability, vulnerability management, cryptographic keys, and much more.
Other frameworks that are well worth considering are:
AICPA’s System and Organization Controls (SOC) 2: A SOC 2 attestation is the most popular reflection of the security posture of service organizations. Extensively requested by their clients and prospects, a SOC 2 Type II report demonstrates the effectiveness of security controls over a period of time.
CIS Benchmarks: These are utilized for secure equipment configuration. Information and Communication Technology (ICT) staff have used the CIS benchmarks for years to ensure secure configurations for equipment manufactured by various vendors.
Today, a company can own thousands of assets with different criticalities, levels of exposure to the internet, and degrees of appeal to threat actors. This makes up a generous attack surface for malicious individuals who are relentlessly performing reconnaissance activities, scanning companies for open ports or other vulnerabilities that can be exploited.
One of the first steps in managing risks for a new or existing company asset is to run a threat modeling exercise. A few known methodologies exist for this, namely STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges), DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability), and PASTA (Process for Attack Simulation & Threat Analysis). The objective is to understand how the asset might be attacked in order to determine the most suitable cybersecurity controls.
A straightforward example: By running a STRIDE threat modeling exercise, it is determined that information sent in plaintext between a new system (asset) and an existing system is subject to the cybersecurity threats of “Tampering” and “Information disclosure” through known attack methods such as man-in-the-middle, sniffing and eavesdropping. As a protection measure to address this risk, end-to-end encryption (security control) is implemented.
New assets should undergo vulnerability assessments before integrating them into the company’s environment. Existing company assets should be subject to regular vulnerability assessments.
A common form of assessment utilized in this stage is penetration testing. An internal, external, or mixed group of specialized (and approved) individuals attempts to circumvent the existing controls of the asset (an application, for example). The objective is to identify vulnerabilities, verify them through non-intrusive exploits, and document the impact and recommended remediation steps. Conclusions are issued in a report, vulnerabilities are described and rated, and recommendations are made to address the identified risks.
Penetration testing is a complex effort that cannot always be conducted on every asset due to operational risks, a large asset inventory, or budget constraints. Still, it’s strongly recommended, and it’s required in some regulations (e.g., the most critical/systemic assets in financial institutions).
Here are some other means of assessing vulnerabilities (which are not only narrowed down to technical ones):
Red Teaming: Similar to penetration testing but subject to a longer engagement, the designed group attempts to break through a set of controls in order to access specific systems and their data and further assess what damage can be done. Can they exfiltrate data? Can they reach other parts of the network?
Vulnerability scans: Automated tools exist to run regular vulnerability scans on systems and networks and identify new vulnerabilities (for instance, on outdated and unpatched versions of a software product).
Security attestation: Software products can be evaluated against the “Common Criteria,” a framework used to attest that certain security features have been embedded in the respective product.
Third-party audits: A vendor’s security posture can be assessed by the client company or an external auditor. Often, a SOC 2 Type II report and/or another recent security audit report are required to verify any findings that might concern the contracting organization. If, for example, the report identified that access recertification was not conducted for over 12 months, this can indicate that the security hygiene is not solid and that your data might end up in unauthorized hands.
Companies can implement plenty of safeguards to take control of their environments before risks materialize. Controls, or countermeasures, suggested by various frameworks can be tailored to the specifics of any environment.
It is up to the staff involved in risk management, security, IT, and other SMEs, in agreement with business owners, to select the suitable controls to address identified risks. Here are some high-level examples.
Risk | Controls |
Unauthorized access | Access control, identity management, segregation of duties, secure authentication, access recertification, privileged access rights monitoring, etc. |
Data breach | Data leakage prevention, encryption, rules for information transfer, pre-approved communication tools, data masking, etc. |
Cybersecurity attack (denial of service, ransomware) | Regular backups, capacity management, network security, incident management detection and response, disaster recovery planning, etc. |
Software misconfiguration | Change control, secure development lifecycle, secure engineering. |
Third-party compromise | Third-party due diligence process, key contractual provisions, continuous monitoring, right to audit. |
Controls should be tested at established intervals, especially those addressing critical risks. For instance, it is a good idea to test more frequently whether network logging and monitoring processes work as expected rather than routinely verifying whether the latest update of a company policy was more than 12 months ago.
As discussed above, cybersecurity starts with identifying what needs protecting and then running risk assessments through threat modeling and penetration tests. The results of these assessments should always have a risk response, whether that’s mitigation with controls or temporary acceptance.
Acceptance should be owned at the highest relevant level in the company. However, this should always be a well-informed decision. If, for example, it has been identified that a prospective third party does not have a great security posture, but the owner of the business line is still willing to enter a contractual agreement, the risks of cybersecurity compromise should be clearly laid out for the owner before accepting that risk.
Risk acceptance should always be in accordance with the company’s risk management framework and risk tolerance. No matter the decision, cybersecurity risks, like any risks, should be monitored regularly, both internally and through third parties.
Cybersecurity is high on the agendas of major jurisdictions. This indicates broad agreement that cybersecurity is no longer a topic to be managed by IT teams in isolation but needs high visibility and a tone set from the top to be handled as an integral part of a company’s objectives.
From this perspective, there has been a lot of activity across the EU. In 2023, Markets in Crypto-Assets Regulation (MiCA) and Digital Operational Resilience Act (DORA) came into force. The NIS2 Directive—a directive on measures for a high common level of cybersecurity across the Union—was published in the same year. In 2024, the Cybersecurity Act and the Artificial Intelligence Act were published.
The US can list various acts, such as the Federal Information Security Modernization Act (FISMA) of 2012 (pending updates), the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (updated in 2023), and Gramm-Leach-Bliley Act (updated in 2023).
It’s safe to say that, no matter the jurisdiction, regulators will want to see that companies know their assets and associated cybersecurity risks and are taking steps to decrease the chance of them materializing.
What is special about cybersecurity risks is their interdependency with almost all other types of risks, such as outsourcing, infrastructure, business continuity, architecture, and many more. Thus, any deficiency in one of these areas can bleed into another.
Risk management frameworks and regulations also overlap, making it challenging to map requirements and ascertain where exactly the compliance gaps are. Tracking risks and controls, conducting regular and ad hoc assessments, and running control tests add to the complexity of maintaining a centralized cybersecurity overview.
For these reasons, it is encouraged to simplify compliance with the help of governance, risk, and compliance (GRC) tooling. Using compliance platforms like Drata to manage risk enables simplified workflows and accurate asset, risk, and control inventories and leads to streamlined governance.
Automation and cybersecurity are now inseparable. Extending process automation into risk management is a logical step in ensuring that precious time is dedicated to strategic improvements in this realm while controls are running, assessments are triggered, and frameworks are mapped all in one tool.
The right way of implementing a cybersecurity strategy depends on your organization’s size, objectives, environment, risk appetite, and many other considerations discussed in this article. It's up to your team to decide whether cybersecurity risks should be accounted for in the overall risk management strategy or have a dedicated and adequately resourced program.
Keep Reading
Take Your Learning Further
Discover research, guides, templates, and other resources on risk management.
