SGRC systems: Risks, part 3

Risk handling

The main purpose of a risk assessment is to form a strategy to avoid or mitigate the damage of potential cyber incidents.

But while audits are about the present (there is a certain requirement – it is not being met now, the picture is clear), in the context of future threats, it can be extremely difficult for CS staff to explain to management the purpose of allocating the budget. A risk assessment helps to translate the needs of the CS department into the language of the business and communicate the importance of the information received.

At the same time, SGRC solutions strengthen communication with the business, allowing the removal of higher-level risks from technical ones, as well as automatically generating understandable graphs and visual dashboards to simplify this communication without additional time expenditure on the part of employees.

Accumulating technical data about the state of CS is an important but not the last task. To make a breakthrough in the quality and effectiveness of the IS system, this data needs to be contextualized and properly analyzed.

But in an ideal worldview, of course, one would like to use the SGRC system after its implementation not “in a vacuum” but to aggregate in it information useful in terms of processes automated by the SGRC system. From this point of view, it is good, when the SGRC system, for example, is able to integrate with CS incident accounting system to use statistics of incidents in the common formula for calculation of risk realization probability, or take into account incurred damage from incident to correct value of potential damage from risk for the organization or take into account certain results of controls assessment in order to automatically select necessary subjects or preconditions of threat realization.

SGRC class systems provide a three-dimensional view of the CS:

  • State of the CS now.
  • State of CS in the future.
  • An overall view of the CS management process.

The last point is the final part in the acronym – Governance. In all cyber security processes, classic problems are:

  • Lack of resources, and expert workload.
  • Not strongly described process of policy management (in most of the cases it’s totally manual)
  • Deviation from CS strategy due to the heavy focus on the implementation of operational tasks.
  • Lack of understanding of areas of responsibility.
  • Non-transparency of processes, inability to track their statuses and deadlines.

SGRC systems become a disciplining tool for executors, a window and a monitoring center for CS managers, and a translator in the business language for communication with organization management.

But it is vital not to miss another very important point. There are a lot of really good products on the market. But the effects of implementation will come only if the party implementing the solution has the necessary set of skills and expertise in the processes being automated. Only then it is possible to achieve the next level of CS process maturity and thereby increase the overall level of quality of processes in the organization.