Re-Inventing the Cyber Security Risk Register
The cyber security risk register is a common concept in most organizations that adhere to a best practice security framework. Essentially, the risk register is a centralized inventory, often tangibly reflected as a spreadsheet, of risks that an organization finds in its environment while performing risk management activities.
The problem with existing risk registers, however, is that they are often not defined by best practice frameworks in a way that enables them to be effective. The approach to date has been that you have something, not that you have what is needed to adequately manage risk within an environment.
So, what is a risk register and why can it have such a negative impact on your security efforts?
Where Did the Risk Register Come From?
The origin of the security risk register can be traced back to the ISO 27001 best practice framework, which was one of the first systematic frameworks for cyber security. While the framework has done a lot of good for cyber security, many of the benefits it provides lie in the past.
One of the items suggested in the framework is the creation of an Information Security Management System (ISMS) that can effectively establish how your organization identifies, communicates, treats, and manages risk within your environment.
The most common tangible artifact of the ISMS is the risk register, which the framework even provides a template for. The risk register acts as evidence that your organization is utilizing an ISMS and is also one of the biggest things that auditors reviewing your organization for certification will look for.
ISO 27001 isn’t the only culprit in perpetuating the risk register as it exists in its current form — it was simply the first framework that required it.
Since many of the best practice security frameworks have taken on a risk-based approach, all of them now require some type of risk register. In each iteration, these risk registers tend to have the same flaws.
The Problems with Risk Registers
Although most best practice security frameworks or certification approaches use risk management as their core, there has been no correlative research that suggests receiving a certification makes an organization more resistant to a breach, or adverse security event.
In other words, having your organization certified doesn’t necessarily mean that you’re operating in a more secure, less risky environment.
The reason that most organizations seek best practice security certifications is for the sake of their customers and clients. Most people want to know that the organization they’re working with is secure, after all.
While receiving a certification isn’t at all a detriment, it isn’t enough if you want to do more with your security program than appease customers. There are other, less expensive things, that your organization can do to appeal to your customers.
The core issues with the risk register approach can be found in their focus on compliance, scope, and overall lack of efficiency in an application:
The origin of the risk register is based primarily in compliance. While compliance is important, it shouldn’t be the focus of your security program in today’s security landscape.
When your organization’s risk register is focused on compliance, your organization ends up focusing on the findings without the accompanying recommendations on how to fix them. If you want your security program to prioritize and reduce risk rather than simply identify it, just finding the problems won’t be enough.
To further complicate the issue, most auditors that review organizations for compliance and certification are simply auditors — they don’t necessarily know how to identify something that’s built properly.
Relying on an auditor’s findings to help you strengthen and improve your security program is like relying on an inspector to make suggestions on the structure of your house based on blueprints alone.
With ISO 27001, your organization is responsible to define the scope of which parts of your business are included, as well as the levels and types of risks that will be included in your register.
If an organization is motivated to receive certification solely for their clients, then limiting the scope to the bare minimum and only including hyper-specific risks would be the easiest thing to do.
This is precisely what most organizations do. They identify a single business unit within the scope and set a ridiculously high dollar amount — $5,000,000 — for the threshold of included risks.
The problem here is obvious — limiting the scope and only accounting for specific risks won’t give your organization a complete understanding of the risks to your environment. This results in an incomplete risk register with poor recommendations on how to address and improve them.
Organizations that use ISO 27001 or other best practice security frameworks are often operationally inefficient, both in the way that risks are collected and how they are fixed.
Building a compliant cyber security process isn’t the same as building an efficient process.
Best practice security frameworks don’t often account for building efficient processes, and if your organization doesn’t include any efficiency requirements, then your team will be stuck adhering to something that won’t match your organization’s needs.
Some of the most important efficiency requirements your organization should incorporate include service-level agreements for security processes, effective scoping and defining of your processes, and connecting identified risks to the appropriate recommendations.
Risk registers in their current state are highly problematic, but this doesn’t mean that they should be thrown out entirely.
Instead, our team has come up with a new concept that builds on the foundations of the risk register by filling in the need for an appropriate scope and moving away from an inefficient, compliance-focused model.