ProCircular Information Security Experts Corner

Let your Risk Register be your Guide

Posted by Brandon Blankenship on Jan 30, 2019 12:46:00 PM

“What are the top 7 things you can do to protect your business from hackers?”  Have you ever read a list like that on the internet? In the cybersecurity realm, they’re everywhere. I’ve even assembled and presented one of those lists to a group of business owners myself. They tend to point out things like user awareness training, patching and passwords.  All noble things to get your arms around, of course, but are they useful to a client?  Sometimes I feel as though those lists, as true as they are, are about as useful as telling a football team to “score touchdowns”, or “guard the quarterback.” Yeah, I know that scoring touchdowns is good… but how? 

The other side of that equation is a detailed list of things to check that may look like this: 

  1. Stop using telnet 
  1. No external facing RDP 
  1. Remediate SMBv1* 
  1. Use LAPS 

That list is only useful to you if you already know what those things mean, you understand your overall business risks, and you know what specific actions to take.  The major issue I have with specific lists published openly is these pithy bullet points can give a false sense of security because they’re not addressed in a holistic way, and often only works for quick wins. These may not even address your greatest risks at all.   

Don’t get me wrong, SMBv1 remediation is actually a good idea regardless of industry type, however that’s a single entry on your Risk Register.  It’s a small part of your overall risk program. 

So, what’s the answer? A good security program is built around protecting the data and business processes that are most important to your leadership. That usually means creating and using a Risk Register to identify, prioritize, and track your risks over time. Key word: Prioritize.  If you’ve identified 75-100 risks to your business, and you can prioritize them according to likelihood and impact, you’re halfway there. 

The highest risks will bubble-up to the top, and it will be perfectly clear. Let the Risk Register drive your security program, so your resources are spent on the right things; otherwise you’ll just be playing whack-a-mole. Every dollar and day you spend on something is a dollar and day you don’t get to spend on something else.   

We want to be sure we’re whacking the right moles. 

Topics: Cybersecurity, HIPAA, DDOS, it risk assessment, cybersecurity plan, NIST