Security Risk Management: 10 Habits to Adopt
October 4, 2021
During Accenture’s 2021 Operation: Next summit, I spoke with good friends Andy Bochman of Idaho National Laboratories and Agustin Valencia of Iberdrola about the need for organizations to strike a proper balance between IT and OT to minimize risk. One of many practical pieces of advice from the session was that if everyone does the basics, the attack surface can be minimized, and risk reduced.
So, what are the basics—what I like to think of as good habits—a cybersecurity leader should embrace for a healthier risk management approach?
How does your process work? What are your critical assets and crown jewels? What are your business and operations KPIs? You should understand your business and industrial processes to be able to effectively manage risk.
At least remove subjectivity, if possible, from risk calculations. As an example, likelihood most often is a very subjective parameter whose rationale can be challenged by lack of historical data, lack of complete data sets, black-swan effects, etc. Think about how to be as objective as possible when managing risk.
Move away from the use of compliance requirements or security maturity levels alone to prioritize your security efforts. Compliance should be the baseline of your journey, not the end-state. Maturity will not tell you all you should know about risk. For example, a process or location can be at maturity Level 1 (less mature) and be low risk. In a different area, you can be Level 3 (more mature) and have your process or location highly vulnerable, depending its criticality and specific requirements.
Take time to build relationships with your stakeholders (board, C-suite, business unit leads, etc.) to understand their needs and how best to communicate with them about risk, e.g., what to include in your risk report, frequency of updates, level of detail, KPIs, etc. By collaborating closely with business lines and the overall enterprise you can reach consensus on how risk is defined, measured, controlled, and mitigated. Collaboration also helps reduce duplication of effort
Your team’s time is valuable. Save time by following risk management standards, best practices, and methodologies widely adopted by your sector, country, or environment. Leverage the work that critical infrastructures, national security agencies, and standards bodies are doing for you.
As the number of attacks increase, focus on security outcomes that support operational uptime and resilience to help you perform better under pressure. Ransomware in particular is a growing threat for most industries. Accenture Security recently took a deep dive into the current state of the ransomware threat. In our research, we identified how cybersecurity leaders can help their organizations gain ransomware resilience. Another area to strengthen is your incident response approach. Adopting proactive practices has been shown to improve response times when attacks do happen.
Your risk management efforts should go beyond just cyber protection measures. You have to consider physical security, employee safety, IT, OT, etc. In any system, humans are always the weakest leak. Therefore, to properly manage risk start by instilling the notion that security is the responsibility of everyone in your organization.
Don’t assume something is trustworthy just because others are using it or you are told to trust it. This includes systems, people, or processes where you just assume trust as a point of convenience. Always question what you are doing: is it the right thing to do and are we doing enough of it?
As IT platforms take a greater share of the OT environment, it is imperative that IT and OT work closely and align on how to minimize risk. When you work in silos you create weaknesses in your organization. Adversaries will exploit those weaknesses. Collaboration also helps reduce duplication of effort and redundant investments. Accenture research found redundant investments in digital projects increased costs by 5.8%.
Encourage your operational and security teams to adopt IT technology in the OT environment, and hold them accountable for the security systems they use and manage.
These habits provide a solid foundation for managing risk. However, if you are a critical infrastructure or large or multinational industrial company, I have a few more habits necessary to meet the high demands of your environment.
Once you start exercising all these habits, sooner or later you will begin asking yourself: Am I doing enough? Am I doing too much? Should I do things differently? To answer those questions, you can look at the health of your organization, business, or process as an indicator of your progress. As you exercise these habits (with peaks here and there depending on other factors), you should begin to see a better-informed view of your risks, engaged and aligned stakeholders, and decreasing (or stabilizing) risk. And to be honest, luck also helps… but don’t rely on it!
1 The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The Consequence-driven Cyber-Informed Engineering (CCE), Cyber PHA and IEC 62443-3-2), etc. tools/ methodologies are not an Accenture tool / methodology. Accenture makes no representation that it has vetted or otherwise endorses these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
Copyright © 2021 Accenture. All rights reserved