24 March 2019

Operational Threat Matrix: The Mission Ready Many...

"Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014."

Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occurred?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits.

Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system:
  • Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. 
  • Identify the assets and the owners of these assets. Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization.

Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in constant control of how much incidents are costing the enterprise.

Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly.

If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

No comments:

Post a Comment