01 September 2016

Structure & guidance in cyber risk management

Information risk management, at the instruction of the government, has moved from being focused on process to being centered on outcomes.

They found that their departments and agencies were too preoccupied with methodologies – to the detriment of truly understanding risk and how to manage it. As IS1 & IS2 are no longer mandatory, government departments and agencies have been given the freedom to develop their own frameworks to follow as they wish, as long as the required outcomes are achieved.

But at what cost does this come when looking at the quality and consistency of approaches used? In the face of decreased authority and control from the Centre over the issue, how should the rest of the UK get to grips with best practice?

It is true that the methodologies for risk assessment have, in the past, been very prescriptive. This in turn led to a situation where people carrying out risk assessments had varying levels of experience. They were able to simply implement prescribed processes, rather than base their actions and decisions on a more thorough understanding of risk. Risk management was therefore under threat of becoming a box-ticking exercise, a process based on fulfilling certain criteria and meeting particular required standards. This also meant that in many cases, every control possible was always implemented, often to a level that wasn’t required. This approach can result in unnecessary cost to the business. Decisions and responses had moved away from being proportionate and appropriate – the two key measures when looking at risk management.

However, asking agencies and organisations to develop their own frameworks and processes introduces further confusion. As a result, many teams are continuing to employ a compliance centric approach, unable to justify the investment required to identify appropriate controls. As such, there is little consistency in how risk management is now being approached – it is, more than often, a combination of the new data classification scheme that has been introduced, old Impact Levels and IS1 & 2.

In Government, ‘clustering’ is happening to reduce costs, leaving larger departments to use their expertise, resource, assurance, compliance and risk management capabilities to support smaller departments.  The challenge here is ensuring that all controls are appropriate and proportionate in relation to the crown jewels being protected – avoiding adopting a cookie cutter approach to risk management. The very nature of risk is that it morphs for every asset, therefore requiring different controls.

There are always multiple threat events to be understood and analysed – the cyber risk landscape is ever-changing and evolving, so government departments and industry to be agile. Risk management is about being proactive and staying one step ahead. NCSC will be providing some influence, authority and data on risk and current threats in the risk management landscape, but there doesn’t appear to be confidence that this will translate into meaningful change or provide the required level of guidance and support.

SYNERGi provides a risk framework for the way you work. The solution enables organisations to easily map risks, threats and vulnerabilities against their business, and report in the context of goals.

“Trust is such an integral part of the Post Office brand. SYNERGi lets us engage with leaders directly, and build a risk-based cyber security strategy around their objectives, so everyone feels confident.”
Julie George, Chief Information Security Officer, Post Office Ltd.