By: Teddy VanGalen, Senior Consultant, Cyber Risk Advisory
Prioritizing and handling security issues are part of a continuous management plan within your organization’s security program. Like a yearly doctor’s exam or routine oil change for your car, continuous management is preventive care for your information systems. It serves as part of the solution to the ever-present cybersecurity problem.
At BARR Advisory, we believe in taking a holistic approach to continuous management—one that includes achieving your short-term goals and a wider perspective of identifying the root cause of your security issues. We believe it’s important to consider the why behind managing the probability of security issues versus simply responding as incidents occur.
Let’s take a look at what security issues entail as well as how to prioritize and handle them through your ongoing security plan.
Security Issues Defined
While it may seem like a general term, security issues are specific to certain outcomes in your overall security management program. When assessing your organization, it’s important to understand the difference between security issues versus threats and risks. Let’s take a look at what each of these terms mean and how they might apply to your organization.
Security issues are the result of unmitigated threats and risks. It’s an umbrella term to house larger events that occur when assessing your systems and controls such as a data breach, social engineering attack, or insider threat attack. Security issues define larger outcomes that could negatively impact your organization’s people and data.
Threats can be any circumstance or event that has potential to adversely impact an organization, generally through an information system. Threats are usually broken out into different threat sources:
- Accidental—human error
- Structural— hardware or software malfunctions
- Environmental—Natural or man-made disaster
Risk is the potential for loss, damage, or destruction of data caused by a cyber threat and are the likelihood and impact level of a specific threat event. Risks are typically measured as high, medium, or low and are prioritized depending on their score and level of difficulty when it comes to remediation.
Managing Security Issues
While there isn’t one specific template, there are several ways to prioritize and handle your security issues. Once you’ve reached the continuous management stage, you can address these issues from a preventive security perspective using the following measurements and guidelines.
As defined above, security issues stem from threats and risks which are unique to each company based on the industry. A way to manage these issues is to perform an annual risk assessment in order to mitigate the effects of a security issue.
Through a risk assessment, your in-house security team or a virtual Chief Information Security Officer (vCISO) can help your organization take a step back and identify any threats or risks that may lead to a larger security issue or incident.
Within a risk assessment, once a risk is prioritized as high, medium, or low, that risk can be treated with one of the following strategies:
Mitigate: May take actions or employ strategies to reduce the risk.
Accept: May decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
Transfer: May decide to pass the risk on to another party. For example, contractual terms may be agreed to ensure that the risk is not held by the organization, or insurance may be appropriate for protection against financial loss.
Eliminate: The risk may be such that the organization could decide to cease the activity to change in such a way as to end the risk.
If a security issue has already occurred within your organization, you’ll want to formally track the issue and undergo an annual review to see if there are any common occurrences or frequent risks.
Once you’ve completed a risk assessment, your security advisor or vCISO can create a risk register to help manage security issues. A risk register will not only allow your organization to identify threats and risks applicable to you and your customers, but it encourages you to proactively think about these ongoing events, ultimately reducing the probability of security issues or eliminating them from occurring in the first place.
Along with a description of each risk, risk registers typically include the following categories:
- Risk Impact—The potential impact of the risk if it did become an issue
- Probability of Occurrence—The estimated probability that the risk will at some point become a project issue
- Inherent Risk Value—Calculated using the Risk Map, based on the values selected for both risk impact and probability of occurrence
- Risk Response Strategy—Based on the risk evaluation and prioritization, a response strategy and control recommendations will be devised. Appropriate and justified controls are selected to treat the risks identified by the risk assessment.
Key Performance Indicators
Key Performance Indicators (KPIs) can be used to track security issues as a whole, but more specifically KPIs are defined metrics used to track measurable outcomes such as uptime SLAs, security awareness training, MFA, and endpoint management. KPIs are typically located within a data scorecard, which is an evaluation tool that provides a snapshot of your organization’s security posture at any given time.
In the long run, KPIs are used to track the metrics which can help mitigate security issues or help to eliminate them altogether. Some KPIs that can be used to prioritize issues include:
- Intrusion Attempts
- Security Incidents
- Patch Management
- Access Controls
- Average Incident Response Time
- Security Awareness Training
Incident Response Policies
Having a documented policy such as an incident response policy outlining your organization’s process related to handling security issues is also key. Incident response policies are highly individualistic based on your organization’s specific posture and needs. However, this is where a vCISO can step in, providing direction to stakeholders and creating and implementing a customized incident response plan.
Interested in learning more about handling your security issues through BARR’s CISO Advisory program? Contact us today.
About the author:
Teddy VanGalen, Senior Consultant, Cyber Risk Advisory
As a Senior Consultant at BARR Advisory, Teddy supports the company’s growing CISO Advisory service offerings, specifically for small-to-medium sized companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.
He is an experienced consulting professional with a history of working in IT governance, risk, and compliance for financial institutions and small-to-medium sized companies. He maintains the CISA and HITRUST CCSFP certifications to fortify his reputation as an IT professional in audit and risk. Teddy graduated from Utica University with a Bachelor of Science in Cybersecurity, and prior to BARR, he worked at Wolf & Company, P.C.