How do I select a risk assessment solution for my business?

One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.

To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Jaymin Desai, Offering Manager, OneTrust

select risk assessmentFirst, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.

Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.

One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.

The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.

Brenda Ferraro, VP of Third Party Risk, Prevalent

select risk assessmentThe right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.

There are seven key fundamentals that must be considered:

  • Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
  • Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
  • Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
  • Enables scalability: Adapts to changing processes, risks, and business needs.
  • Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
  • Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
  • Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.

The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.

Fred Kneip, CEO, CyberGRX

select risk assessmentOrganizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.

Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.

Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.

Jake Olcott, VP of Government Affairs, BitSight

select risk assessmentOrganizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.

Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.

Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.

Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.

Mads Pærregaard, CEO, Human Risks

select risk assessmentWhen you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:

1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication

Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.

Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.

Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.

Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.

Steve Schlarman, Portfolio Strategist, RSA Security

select risk assessmentGiven the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.

Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.

Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.

The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.

You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”

Yair Solow, CEO, CyGov

select risk assessmentThe starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).

Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.

Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.

This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.

2020 predictions: Rising complexity of managing digital risk

Digital risk management experts at RSA Security have released their predictions for 2020, detailing key cyber trends for the year ahead. With contributions from President, Rohit Ghai and CTO, Dr. Zulfikar Ramzan – the predictions offer a steer to companies on emerging threats and highlight that cybersecurity issues remain the number one digital risk for organizations undergoing digital transformation.

2020 predictions

“In 2019, across all verticals, cyber attack risk ranks as one of the top digital risk management priorities,” commented Rohit Ghai, President at RSA Security. “Don’t expect anything to change in the New Year. In fact, across both public and private sectors, organizations will continue to embrace digital transformation initiatives. On the risk register, cyber-attack risk will remain the leading business risk and inevitably, organizations will continue to struggle to gain visibility across a growing number of endpoints and a more dynamic workforce. Both will create gaps for potential exploitation.”

Some of the key trends that businesses need be aware of include:

Cybersecurity: A matter of safety

“There will be a shift in mindset from cybersecurity to “cyber safety” in 2020. Global events like the Summer Olympics in Japan or World Expo in Dubai are blending physical infrastructure with connected systems to deliver better user experiences,” comments Alaa Abdulnabi, Regional Vice President of META. “However, these events underscore a new reality: cyber is much more than just a data security issue. It will become a component of physical security, too.”

Expect to see a cyber incident at the edge next year

“The continued proliferation of IoT devices will make edge computing an essential component of enterprise IT infrastructure in 2020,” comments Rohit Ghai, President. “To power these systems, 5G will become a bedrock for organizations looking to speed up their IT operations. With this innovation and speed will come greater digital risk. A security incident in the New Year will serve as the wake-up call for organizations leaning into edge computing. It will remind them that threat visibility across is essential as their attack surface expands and the number of edge endpoints in their network multiplies.”

Breach accountability

“A high-profile case where an organizations is breached due to an API integration will create confusion over who is responsible for paying the GDPR fine,” comments Angel Grant, Director of Digital Risk Solutions. “This will spark conversations about regulatory accountability in a growing third-party ecosystem.”

The rise of cyber attacks in the crypto-sphere

“The security of cryptocurrencies rests on safeguarding users’ private keys, leaving the ‘keys to kingdom’ accessible to anyone who fails to adequately protect them,” comments Dr. Zulfikar Ramzan, CTO. “Cybercriminals usually follow the money, so expect that cryptocurrencies will be at or near the top of attacker’s wish lists in 2020.”

The API house of cards will start to tumble

“Many organizations have stitched together a fragile network of legacy systems via API connections to help better serve customers and improve efficiency,” comments Steve Schlarman, Director & Portfolio Strategist. “A security incident in the New Year will disrupt the patchwork of connections and it will lead to major outages. The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.”

The identity crisis will worsen

“Businesses are coming to realize that mismanaged credentials and passwords are often the weakest link in a security chain and identity compromise continues to be at the root of most cyber incidents,” comments Rohit Ghai, President. “Next year, we will see identity risk management become front and centre in cyber security programs as organizations adopt more and more cloud solutions; as workforces become more dynamic with gig workers and remote employees and as the number of identities associated with things or autonomous actors continues to dwarf the number of human actors on the network.”