Introduction

We've discussed risk profiles in some of our other write-ups, but we wanted to take the time today to deep dive into the topic for the edification of our readers and as a basis for future communications. 

Understanding a company, what makes it tick, and what could make it conk out is key to providing solutions that allow the business to achieve its objectives. We will define the risk management lifecycle during this walkthrough and discuss some methods for developing a company's cyber risk profile. Hopefully, we can conclude why it's essential and give you some ideas about where to begin! 

The Risk Management Lifecycle 

Various organizations in the past have documented the risk management lifecycle. The flavors may be different, but they all communicate the same series of steps. These steps are as follows: 

1. Resource Profiling: Describe the resource and rate risk sensitivity to the business (Business Owner) 
2. Risk Assessment: Identify and rate threats, vulnerabilities, and risks ( Information Security) 
3. Risk Evaluation: Decision to accept, avoid, transfer, or mitigate risk ( Information Security and Business Owner)
4. Document: Document risk decisions, including exceptions and mitigation plans ( Information Security and Business Owner ) 
5. Risk Mitigation: Implement a mitigation plan with specified controls ( resource custodian or system owner )
6. Validation: Test the controls to ensure the actual risk exposure matches the desired risk levels ( Information Security )
7. Monitoring and Audit: Continually track changes to the system that may affect the risk profile and perform regular audits ( Information Security and Business Owner ) 

Wheeler, E., 2010. ISBN 9781597496162 - Security Risk Management 11th Edition Direct Textbook. [online] Available at: <https://www.directtextbook.com/isbn/9781597496162> [Accessed 7 April 2022]

We are only focused on the company's risk profile and will only be discussing step number 1, Resource Profiling. However, we will address the subsequent steps during different blogs as they all play a significant role in effectively identifying and managing cybersecurity risk. 

Resource Profiling

I'm a techie, but I am also aware that technology enables business and is not core business in most cases. This is why it's essential to understand the company and its business delivery model before performing any risk profiling.

For instance, what is Meta's product and or service? It's not Facebook; it's your data that is extracted and sold to product and service providers for marketing purposes. Meta just so happens to allow you to keep in touch with old friends on the same platform they perform data gathering. 

Ingenious, I tell you! 

When it comes to profiling resources, we must first be certain that we have adequately categorized IT Systems and Data used to deliver the companies products and services. For instance, here are some categories that may come to mind: 

• Cloud-based systems [ private / public ]
• Virtualized Systems [ no matter where they live ]
• Endpoints
• Servers 
• Network Devices [routers & switches and other components] 

Depending on the industry, this list may expand or contract, but the critical thing to remember is that you must first and foremost have a complete inventory to profile your resources. 

Next, we must analyze the types of data that these information systems transmit, store, and or process. Without such information, we run the risk of over categorizing the risk of an asset simply because it happens to be within our resource pool. 

Meta has a series of resources that are key to delivering Facebook and Instagram. It also has resources intended to house the data of the individuals and businesses that leverage its platforms. Which of these resources is of greater importance to the company? 

Let the Business Decide

Earlier, when we defined the stages of the risk management lifecycle, we provided the role responsible for delivering each of the results of the steps to the business. In the case of Resource Profiling, the Business Owner has been identified as the responsible party. 

Rightly so! 

This does not mean that the business is not encouraged to consult cybersecurity when developing a risk profile for its assets. On the contrary, they most certainly are! However, we should always remind the business owner that the risk that we are analyzing is not the cyber posture risk; instead, it is the risk to business operations if the said resource was to be compromised or destroyed. 

At a minimum, the risk profile should contain the following details: 

• General Description of the Resource
• Function and Features
• Information Classification [ transmitting, storing, or processing ] 
• Criticality to organization 
• Applicable regulations 

You will often find this information within the details of a Business Impact Analysis (BIA); however, it has been my experience that most organizations have not performed one, and if so, they have not done so continuously. 

Risk Profile a Moving Target!

The risk that a resource may pose to an organization will always be in a state of change. Why? Because the information system and the information with which it interacts will also consistently undergo some form of change. 

For instance, let's assume that our organization has built an in-house Customer Relationship Management (CRM) solution leveraging packages that have become obsolete since our last risk profiling exercise. The CRM's risk will likely be elevated mainly because of its infrastructure status change. 

Keep in mind that this is a reasonably rudimentary example; however, many things can impact the risk profile of an asset, including but not limited to: 

1. Changes to Infrastructure
2. Newly formed interfaces with high-risk systems
3. Changes in Regulation
4. Repurposing of assets [ expansion or de-expansion of use]

Keep in mind that an asset risk profile can increase or decrease based on these variables. This is why it is so important to have a mature change management program in place, to be able to adjust the needs relative to changes within your operating environment.

Why is the Risk Profile so Important?

We are not in the business of providing security for security's sake! Our number one objective is to support our business concerns and manage risk to an acceptable level. As cybersecurity leaders and business leaders, we all know that resources, people, technology, and funding are limited. Therefore we must distribute the resources strategically across assets posing the highest level of risk to the organization. Doing so will allow us to tie any information security effort to business drivers, winning us friends in key places and ultimately producing effective and efficient security programs for our stakeholders! 

Conclusion: 

The Resource Profile or Risk Profile is fundamental to any cybersecurity program because it directly ties information systems and critical data to the business needs. Without doing so, we as cybersecurity practitioners often find ourselves trying to secure everything instead of focusing limited resources on systems and information that matter most.

The business owns the Resource Profiling and Risk Profile; however, we should always be willing to consult with the business owner, reminding them to keep the business first when determining risk. When we do this we build robust security solutions around what's critical and make exceptions for things that are not! 

What are your thoughts on Risk Profiling? Has your organization performed this exercise before, and if so, do they do it consistently? If not, become the enabler instead of the function of no! 

Until next time, remember to provide security solutions that keep business FIRST!