Best Practices for the Cyber-Risk Management: Plan, Secure and Monitor the Life Cycle

Cyber-risk management is crucial for organizations due to operating in interconnected digital environments. This research helps security and risk management leaders understand the essential components of a cyber-risk management program.

Overview

Key Findings

• Successful cyber-risk management programs embody the 5-D rule: dynamic, distributed, defensible, data-driven and decision enabling.
• Cyber-risk data cannot be analyzed to provide actionable outcomes without context.
• Limited resources and cost of operations require categorizing the criticality and sensitivity of assets to enable adaptive cyber-risk management.
• Security and risk management (SRM) leaders are increasingly being asked to express cyber risks in monetary terms to enable comparisons with other risks across their organization.
• Documenting cyber risks in a risk register and ensuring continual communication with stakeholders are critical to provide an overview of cyber risks stated from a business perspective, which enables data-driven decision making.

Recommendations

For SRM leaders responsible for managing cyber risks:

• Establish your cyber-risk management practices by using Gartner’s cyber-risk management life cycle approach to embed the 5-D rule.
• Drive insightful data analysis by connecting identified risks to business processes, goals and outcomes to establish the necessary context.
• Execute impact analysis by examining critical assets/processes from different impact perspectives like environmental, social and governance (ESG), privacy, operational economical or technical perspectives and their value to the business in order to enable risk quantification, assignment of ownership and adjusted analysis methodologies.
• Conduct a triage and utilize different risk assessment methodologies: qualitative, quantitative or hybrid and different types of cyber-risk quantification methodologies (i.e., FAIR, ALE, VaR, threat model, scenario/decision tree analysis, customized models). Source built-in/preset internal (statistical) and external (threat intelligence) financial data for cyber-risk quantification that allows customisation if required.
• Communicate risk timely by leveraging dashboards designed for the target audience to enable risk owners to prioritize treatment actions and make informed decisions.

Introduction

The term “cyber risk” refers to the risk that may impact the goals and values of an organization in terms of financial loss, operational disruption, damage or harm caused by the failure of the technologies employed for informational and/or operational functions within interconnected digital environments.

Cyber risk is caused to cyber resources (including third parties, supply chains, and existing and potential customers) by electronic means through unauthorized access, use, disclosure, disruption, modification, or destruction.

Ransomware attacks, data breaches and technology failures as well as cloud misconfigurations, insider threats and cyber sabotage have already become a part of daily business conversations. SRM leaders are under constant pressure to demonstrate effective management of cyber risk due to the increased concerns surrounding cyber risk from both internal and external stakeholders.

As the pressure and scrutiny increase, many SRM leaders are challenged with transitioning away from manual cyber-risk management approaches which are often inconsistent and centered on checkbox compliance. Adopting a more dynamic, distributed, defensible, data-driven and informed decision is one way to improve the efficacy and efficiency of their efforts.

Gartner has identified three phases and nine core elements as “must-haves” for the cyber-risk management life cycle, which can be adopted irrespective of the actual risk management framework implemented by an organization (see Figure 1).

Figure 1: Gartner Cyber-Risk Management Life Cycle

The cyber-risk management life cycle comprises of three phases with three core elements within each (for a total of nine):

• Plan, support the decision making process with relevant and up-to-date information (data driven).
• Establish context: Identify scope, define risk parameters and risk management strategy.
• Confirm criticality: Conduct impact analysis.
• Assess risk: Conduct cyber-risk assessment and evaluate controls.
• Secure, enable risk owners to define and establish the protection level of their assets.
• Select controls: Identify control requirements.
• Manage investment: Invest in solutions while reducing technical debt.
• Treat risk: Embed an organizational wide attitude to risk treatment.
• Monitor, get visibility on cyber risk and the impact reduction according to an organization’s risk appetite.
• Authorize system: Implement risk assessment, security gates and governance in relevant organizational processes like infrastructure and operations (I&O) and project management.
• Monitor risks: Monitor loss exposures, risk reduction and other indicators.
• Communicate risks and issues: Document risks in a risk register and provide continual communication to relevant stakeholders like risk owners or senior executives.

Analysis

Successful Cyber-Risk Management Programs Are Grounded in 5 Ds

The 5-D rule helps shape an adaptive cyber-risk management program. It also indicates what is required to be successful in each phase and core elements of the cyber-risk management life cycle (see Table 1).

Table 1: The 5-D Rule for Cyber-Risk Management

Source: Gartner (June 2023)

---

Successful cyber-risk management programs embody the 5-D rule: dynamic, distributed, defensible, data-driven and decision enabling.

---

Steps to Execute in the Cyber-Risk Management Life Cycle

In order to support a cyber risk management program that embodies the 5-D rule, SRM leaders must perform activities described in details below (see Figure 2).

Figure 2: Cyber-Risk Management Life Cycle (Detailed)

Plan

---

Without context, cyber risk data cannot be analyzed to provide actionable outcomes.

---

This phase includes functions and activities related to the need for controls and the associated planning activities and requirements. SRM leaders need to understand the context of assets and processes in order to move from guessing to knowing, to leverage the right data in risk assessments to propose adequate risk optimization measures.

Establish Context

Identifying scope and defining risk parameters are foundational to any cyber-risk management strategy. Customizable depth and breadth of the scope are other key parts of establishing the context. Gartner has noted a rise in the number of clients in tailoring the risk appetite and risk tolerance within different lines of business (see Ignition Guide to Drafting and Operationalizing Cyber Risk Appetite Statements) as well as defining risk parameters to systematically assess and treat risks consistently in a structured way across the organization.

Functions and activities for this area should include:

• Strategic business context: Connecting cyber risk to business process, business goals and business outcome and determining risk ownership.
• Customizable risk parameters: Starting with best practice parameters, but being open to the option to tailor the risk parameters and management processes to the individual strategy and approach as well as to the different elements of the scope, such as cyber risk-profile, methodology, taxonomy and applicability.
• Cyber asset inventory: Utilizing sources to use an accurate, reliable and up-to-date inventory of the assets in scope including configuration information.
• Tailored risk scope: Maintaining possibility to scope to organizational elements, technology domains, business processes, and other customizable groupings and aggregations.

Confirm Criticality

---

Use criticality information for prioritizing remediation activities and control assignment as well as response to detected cyber events, reacting to potential issues, and recovering services in necessary order.

---

Limited resources and cost of operations require categorizing the criticality and sensitivity of assets to enable adaptive cyber-risk management. Classification and risk tiering ensure that risk mitigation and resource utilization efforts are prioritized and optimized based on the value/criticality of all relevant assets and risks. Gartner recognizes that most clients utilize a categorization based on criticality. However, performing a thorough impact analysis is not common.

Functions and activities in this area should include:

• Impact analysis: Determining critical assets/processes from different impact perspectives like ESG, privacy, operational, economical or technical perspectives, and measuring their value to the business in order to enable risk quantification and assignment of risk ownership as well as adjusted analysis methodologies.
• Activity prioritization: Prioritizing remediation activities of risks based on different aspects like business criticality, risk factors or system classification.
• Risk appetite definition: Creating a mechanism to determine a cascaded risk appetite and risk tolerance based on defined risk scopes.
• Risk identification catalog: Utilizing the process of risk identification independently within the operating model to provide a prefiled risk catalog supporting the risk assessment process.

Assess Risk

---

Achieve substantial action-based results by relying on an approach that is based on trusted analysis, timely delivery and empowering guidance to decision makers.

---

SRM leaders are increasingly being asked to express cyber risks in monetary terms in risk assessments to enable comparisons with other risks across the organization. Gartner clients are already evolving different approaches to move beyond scenario-based risk assessments, based on probabilities and assumptions. That is because they lack credible data, and the results don’t drive defensible results. Cyber-risk quantification supports greater comparability with other risks, and provides defensible data and methodology.

Functions and activities in this area should include:

• Triage: Performing a triage stage based on available data to determine the next course of action. Data-driven analysis enables decision making to factor in the economic value of an asset or process to identify the applicable methodology for risk assessment.
• Risk assessment process: Using a risk assessment workflow with relevant data, determining and managing different types of risk assessments, including one-time assessments, tollgate assessments and portfolio assessments.
• Risk quantification: Utilizing different risk assessment methodologies: qualitative, quantitative or hybrid and different types of cyber-risk quantification methodologies (i.e., FAIR, ALE, VaR, threat model, scenario/decision tree analysis, customized models). Sourcing built-in/preset internal (statistical) and external (threat intelligence) financial data for cyber-risk quantification allows for customization if required.
• Automation: Leveraging technologies that offer near-real-time, automated capabilities is a key aspect of modern cyber-risk management. These technologies enhance various stages of the risk management process by enabling automated risk assessments, control proposals, testing effectiveness and maturity of controls, evaluating control implementation levels through automated workflows and questionnaires, and harnessing the power of AI.

Secure

---

Use catalogs/frameworks to promote a systematic and consistent approach for deploying security controls to reduce and optimize an organization’s cybersecurity risk exposure in accordance with its risk appetite.

---

This phase includes functions and activities related to the implementation of controls and their operation. SRM leaders need those functions to understand if relevant risks are mitigated with controls, whether there are gaps, and whether investments are projected to meet expectations.

Select Controls

Identifying control requirements is part of the strategic planning process. Gartner recognizes that most clients use control catalogs via a cyber-risk management software which supports the identification of common security controls and the development of associated baselines which then lead to reduced workloads for users.

Functions and activities in this area should include:

• Strategic planning process: Following a strategic planning process to manage the individual control framework in accordance with cyber/security architecture as well as business requirements.
• Built-in control catalogs: Developing a comprehensive control menu by leveraging international control catalogs, control frameworks and best practices, while allowing for the inclusion of custom controls in order to enhance the effectiveness and flexibility of the control selection process.
• Customizable control sets: Offering the capability to customize and develop rationalized control sets that align with different criticality categories of an organization’s assets or operations.
• Controls mapping (internal/external): Mapping to the organization’s internal policies, external industry standards, other regulatory requirements and contractual requirements, and automatically updating or cross-mapping new control frameworks, standards and regulations.

Manage Investment

---

Addressing the cyber risk of technical debt in the long term should be based on the assessment of cyber risk in achieving an organization’s long-term business objectives instead of short-term financial benefits or tactical goals of individuals.

---

Investing in technical debt reduction is becoming increasingly important as over time, organizations accumulate substantial technical debt that limits their abilities to address cyber risk without significant investment or replacement. This increasing technical debt impacts an organization’s ability to achieve its long-term objectives. Gartner sees current cyber-risk management approaches fall short in proactively planning and driving technical debt reduction. Organizations should make informed decisions, focusing on not only the short-term losses and consequences but also the cost of significant upgrades, which encourages them to choose lower-cost compensating controls.

Functions and activities in this area should include:

• Control investments (ROI support): Managing control investments, including security tools and services to support ROI calculations and cyber-risk modeling.
• Technical debt reduction: Involving acknowledging the consequences of suboptimal decisions during software development and infrastructure maintenance, and taking proactive steps to address them, leading to improved system performance, reduced maintenance efforts and enhanced cybersecurity.
• Investment scenarios: A scenario-based informed decision-making approach strengthens cyber investment decisions by incorporating multiple scenarios, improving transparency, and optimizing resource allocation for greater strategic impact.
• Business value definition: Facilitating the articulation of enhanced business value by focusing on business risk reduction and outcome-driven approaches.

Treat Risk

---

To minimize the risk exposure window, it is crucial to adopt a continuous and automated approach for risk assessments, which offers proactive recommendations for prioritizing mitigation steps.

---

Risk treatment is the process of deciding which action is ultimately taken to address assessed cyber risks; to what extent and in which time frame. A risk treatment plan has to be balanced between the value of the business asset or process in question and the needed investment (cost-benefit considerations). In addition, it must consider the risk appetite and risk tolerance discussed before (see Ignition Guide to Drafting and Operationalizing Cyber Risk Appetite Statements). Gartner recognizes nearly all of the clients have a risk treatment plan. However, many are missing the link of risk treatments to organizational goals and enterprise risk management.

Functions and activities in this area should include:

• Risk treatment plan: Utilizing RASCI (see Tool: Cybersecurity Program RASCI Matrix), data-driven decision support, and prioritization to optimize risk mitigation strategies.
• Alignment with strategic goals/objectives: Establishing a dynamic alignment and linkage between strategic goals/objectives and cyber-risk management to effectively integrate and visualize risk mitigations with the overarching business strategy.
• Scenario/what-if analysis: Optimizing and advancing “what-if” analysis to comprehensively evaluate the potential impact of diverse treatment proposals on cyber risks, and leveraging factors including risk investments, threat vectors, attack surfaces, vulnerability exploitation and business continuity implications.
• Support for cultural change: Managing change activities like training assignments, consulting engagements and awareness interactions (see Note 1).

Monitor

---

Require the incorporation of security sign-offs into the system authorization process to prevent introduction of possibly serious and costly cyber risks into your organization.

---

This phase includes functions related to the monitoring of operational and procedural execution of security controls. SRM leaders need to have insight into whether the planned and deployed controls are actually minimizing risk as agreed and operating effectively and which indicators help to inform different stakeholders about this status. In addition, controls must be comprehensively implemented and continuously improved, while the maturity of processes must be aligned with target expectations.

Authorize System

Embedding risk management, security tollgates, check points or milestones and governance into the organization’s processes and life cycles is beneficial to verify the cybersecurity requirements have been met before bringing a system into production. Gartner recognizes that some clients utilize cyber-risk management software which uses system-focused and authority to operate methodology, such as FedRAMP and NIST SP 800-39, and have the capability to conduct risk assessments (or security assessment and authorization [SA&A]) for validating that projects and system implementations manage risks appropriately.

Functions and activities in this area should include:

• Tollgate approach: Seamlessly integrating security check points into workflows including agile developments, automating risk assessments and triggering proactive security activities.
• Links to project life cycle management: Integrating security requirements and connecting with project management tools to ensure comprehensive coverage and effective management of security considerations throughout the project life cycle.
• Security policy management: Managing security policies and corresponding standards, connected to control frameworks, and managing policy compliance based on evidence collection, also as part of the authorization process/workflow, and policy exception handling.
• Security assessment and authorization: Collecting all deliverables and the workflow to fulfill predefined security assessment and authorization requirements.

Monitor Risks

---

Monitor risks so treatments are tracked and tested, and the risk program can continuously evolve to reflect changes happening to your organization from outside.

---

This phase is the instrument for monitoring the current status of the implemented treatments and ensuring their permanent effectiveness. Monitoring loss exposures and other risk indicators will help to build a proactive cyber-risk function. Organizations need retrospective review of incidents and near misses/mistakes from both internal and external sources. However, relying only on these will result in a reactive cyber-risk function. Gartner recommends organizations seek to implement solutions that provide key risk indicators, metrics and centralized risk/threat intelligence content based on the context of the organization.

Functions and activities in this area should include:

• Continuous control monitoring (CCM): Integrating with CCM tools including vulnerability management, cyber-asset attack surface management (CAASM), cloud security posture management (CSPM) to get real-time/near-real-time insights into control effectiveness (see Innovation Insight: Cybersecurity Continuous Control Monitoring).
• Cybersecurity (program) performance management: Evaluating and benchmarking the security posture and the security program maturity from a business value perspective, and systematically linking multiple levels of people, process and technology risks, indicators, investment and returns. This is for identifying continuous improvement areas/gaps and providing data-driven and guided budget requirement simulations to help prioritize and meet business needs and secure an organization within budget constraints.
• Key indicators: Developing and customizing key performance indicators to track performance of the cyber-risk operational function and key control indicators to measure the effectiveness of existing controls as well as key risk indicators to monitor specific business risks.
• Cyber-risk landscape: Proactively monitoring and correlating the cyberthreats, also based on threat intel, against the individual cyber-risk landscape in order to be prepared for a continuous update of the risk state and to initiate appropriate corrective actions.

Communicate Risks and Issues

---

Achieve and maintain executive support for cyber-risk management by effectively communicating cyber risks in a manner that links them to business values and outcomes.

---

Documenting cyber risks in a risk register and ensuring continual communication are critical to enable data-driven decision making by risk owners. Gartner continues to observe that organizations that lack executive insight and visibility into the topic of cyber risks result in poor decisions being made regarding security investments. SRM leaders need to communicate risk in a timely manner via dashboards designed for target audience and a set of customisable reports to help organizations prioritize treatment actions and make informed decisions.

Functions and activities in this area should include:

• Risk register: Using a risk register for communicating a sorted, aggregated, prioritized list of cyber risks in a format that allows for informed decision making and tracking their treatment.
• Incident management: Developing and implementing a strategy to respond to cyber incidents, including incident response and recovery plans. Management/mitigation of impact, relevant information availability, tracking and escalating should be encapsulated in either the strategy or plan.
• Cyber-risk dashboard: Scoping dashboards by audience requirements for consistent delivery of “need-to-know” information to appropriate stakeholders. Such information should explain and explore each risk and its connection to an organization’s overall business values and strategy.
• Cyber-risk report generation: Generating effective, dynamic, data-driven, need-and-urgency-based cyber-risk reports that enable understanding and drive stakeholder support. It is crucial for an organization to acquire the ability to report on the security posture from different risk and compliance perspectives.