How can we more accurately measure risk?
Sort by:
We did start to do some work this year in looking at CIS controls. So we really started with a NIST framework and now we're adding on CIS controls to give us another layer of depth and looking to measure ourselves against that, with a signal level of maturity. We use CIS controls as the base, which have a ton of hygiene measurements in them, to give us an idea of where we've got that residual risk and what we do about it: do we educate everyone, help them understand it and accept it, or do we put initiatives in place to make that gap smaller?
CIS measures if you have an inventory of all your things, and then it measures how you're doing against even things like patching. Do you have certain security gaps open or closed? It's very specific even down into the technology. Then understanding if that control is fully effective or partially effective. With partial, obviously you have residual risk.
After the team got that base model in place, now you have a database full of exceptions. We've accepted these risks, but we have just instituted that you cannot file an exception without a mitigation associated with it—something that says, “I'm going to make this risk less because I'm going to do these three things, whatever it is.” The value of that exception is not just a minus one. It might be now a minus one-half, because you have it half covered by some other mitigation. But you've got to figure out the effectiveness of each mitigation, because it may completely cancel out the exception.
You may be granting an exception on a very specific thing where a mitigation completely cancels out the risk for you, because you've basically done an entire work around so that somebody can't get through, because there's no attack vector anymore. You put MFA in front of something, and put it behind a firewall—it's incredibly hard for someone to get in and exploit that. So that's what I've challenged the team with next. Now that you've got the, “I see it in this many places, and I see it missing in this many places,” now go challenge where you have exceptions. Understand your mitigations, to see if those are really minus ones or they're minus less-than-ones to bring that into the mathematical model. So that you really can either say, “we have the right amount of risk,” or, “we have less risks than we expected, which means that maybe we can spend more time on something with higher risk or an area that needs more attention.”
It's a really hard thing. I think every company struggles with how to really measure true residual risk. One of the things that I keep struggling with is that we try to measure everything equally, and I don't think we can do that. You've got to look at the really critical components of your business, and I think you're going to come up with a different measure based on that criticality. If I go back to earlier days, I think about what the real key components were to keep that revenue stream going. What were the real key components to have the most impact for the patients and the people that really were dependent on us. Those were the things that we needed to focus on, and I think we did a good job at doing that. I think every company has to really figure out, “what is that?” When I was at my last company, one of the big things that we really tried to focus on is that it wasn't equal across the board. We really had to go in and look at where those critical business operations were. We really did a lot of focus on that. The maturity of the program was fairly low, so in order for us to be successful, that really required us to have a different approach. But I think the same thing applies when you're thinking about residual risk. I think we as an industry really have to come up with better ways because the executives really need to understand what that is. It's a hard thing to come up with.
Did you weigh those to be able to show the difference from one control to another, that one control was more important or weightier than another? Did you weigh them, or did you order them in a priority to say, “we focused on these things first,” based on a risk appetite or something like that?
That's really what we did is take the controls that we felt were really critical to that. In going back to looking at the different business operations, that's where I think organizations really mess up because you try to take, let's say for patient portal access, well you've got a certain set of controls that are going to be really important on that particular operation. It doesn't mean that those same controls are going to be top priority on another set of operations, because you've got a whole different set of risks over here. So you really got to look at those risks based on that operation and what controls you have in place, then you get the residual risk. That's a really hard concept for people to really understand. But to me that was key and to explaining to the executives.
Previously I would map the maturity frameworks against the technical portfolio. We focused on defining a calculation to determine how much the organization could potentially carry as a residual risk backing out. It was mathematically/scientific based. Obviously we have access to all those algorithms, but I am summarizing it because I'm not a statistician. The objective is to distribute the risk across connected partners, that limits how much risk you have to carry. But those conversations were the first time I actually started to take a look at really digesting our risk and compliance program in a way where I can articulate that to leadership. Here's what you truly have to be prepared to pay.
We can only accurately measure risk through technology and skillset. Without the two we can never truly measure the risk.