- The exponential growth of digital landscapes multiplies vulnerable assets even as organizations struggle with a surge of cyberattacks.
- Manual risk management methods often do not identify and assess risks quickly enough to offer complete and real-time insights to support strategic decision-making.
- Empowering development teams to complete their own risk assessments is a common goal but often fails due to lack of security expertise.
Our Advice
Critical Insight
- Develop a scalable, integrated process to assess and manage security risks
- Leverage best-practice frameworks, drawing on emerging technologies to accelerate manual tasks
- Enlist organizational participants to ensure reliable security risk data is available when you need it.
Impact and Result
- Reduce security risk over time.
- Improve security incident metrics, as well as their impact on the organization and the average incident response time.
- Regular audits and assessments are more likely to show the security risk management program adheres to relevant security standards.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
8.9/10
Overall Impact
$35,184
Average $ Saved
23
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Hitachi Rail GTS Canada Inc.
Guided Implementation
8/10
N/A
2
Soboba Band of Luiseno Indians
Guided Implementation
10/10
$12,330
4
EBSCO Industries Inc
Guided Implementation
10/10
$6,850
8
Jon was an amazing partner to work with. His knowledge and expertise were essential to our success in establishing a more rigid Risk Management Pr... Read More
Seneca Gaming Corporation
Workshop
8/10
$13,700
10
Primary benefits of the workshop to SGC: 1 - Opportunity to formally introduce concepts to senior management. It is often helpful when a third-p... Read More
AgHeritage Farm Credit Services d/b/a Insight Technology Unit (ITU)
Workshop
8/10
$32,195
10
I attended a workshop recently that was truly excellent. The leader, Fritz, had a deep understanding of our specific needs and was able to guide us... Read More
UCLA
Workshop
5/10
N/A
N/A
The Stride model and tool were not explained at the beginning of the sessions. I was not clear on the methodology or intended outcomes. The initi... Read More
Diamond Trading Company Botswana (PTY) LTD.
Workshop
10/10
$12,999
10
The best part was that the consultant was very knowledgeable in all aspect of information security and was very engaging and encouraging participat... Read More
UCLA
Workshop
9/10
N/A
32
The best part was our facilitator. She was great. There was no "worst part". The workshop exceeded my expectations.
UCLA
Workshop
10/10
$64,999
20
Coordinating discussion among different teams and helping us identify gaps
Camosun College
Guided Implementation
10/10
$25,000
20
No worst part, these tools take time to work through. The benefits of a structured threat and risk assessment using the STRIDE model is fantastic! ... Read More
California Department of Human Resources
Guided Implementation
10/10
$113K
115
The best part of the experience was the invaluable assistance and advice provided by the analyst, Ian both in terms of research assistance, and in ... Read More
American Transmission Company
Guided Implementation
8/10
$2,393
5
Tools and templates are great.
STERIS Corporation
Guided Implementation
10/10
$12,599
29
Ian is a joy to work with. He really takes the time to tailor the work around progressing programs with actionable items each meeting to improve th... Read More
State of Hawaii – ETS
Guided Implementation
10/10
$64,999
50
Good: - helped realign priorities - will revisit once we've establish a more solid baseline on security program
London Health Sciences Centre and St. Joseph’s Health Care, London
Guided Implementation
9/10
$10,000
5
Overall understanding of problem and some suggestions for a brainstormed solution.
Southwest Gas Corporation
Guided Implementation
10/10
$125K
20
Ian if very knowledgeable about your product as well as risk. He listens well and provides great feedback. We see Ian as a great resource and con... Read More
Atlantic Canada Opportunities Agencies
Guided Implementation
8/10
$47,500
10
Very good feedback. Open discussions. Varied ideas. Strong focus on IT less pertinent to my role, but nonetheless useful. Services are very appr... Read More
Canadian National Railway
Guided Implementation
10/10
$2,000
5
Blessing Hospital
Guided Implementation
8/10
N/A
N/A
Good discussion and follow-up call with additional analyst and different blueprint that may be more targeted towards Dr. Siddiqui's interest.
Blessing Hospital
Guided Implementation
10/10
N/A
N/A
Can't estimate the savings at this point however call exceeded expectations in research material being able to solve the business problem at hand.
California Department of Corrections & Rehabilitation
Guided Implementation
9/10
N/A
N/A
Federal Home Loan Bank of Chicago
Guided Implementation
10/10
N/A
N/A
I loved talking with Ian about risk philosophy! He helped me put together a risk tolerance and risk register for my organization that was focused ... Read More
Nakisa Inc.
Workshop
8/10
N/A
20
All was good.
The Ottawa Hospital
Guided Implementation
10/10
$11,500
10
British Columbia Transit
Workshop
8/10
$50,000
20
California Department of Corrections & Rehabilitation
Guided Implementation
9/10
N/A
N/A
Great insight on how to work through the program steps. Lots of knowledge and advice on what's important and whether a methodical or practical app... Read More
Apria Healthcare
Guided Implementation
8/10
N/A
N/A
Colonial Savings, F.A.
Guided Implementation
10/10
$764K
10
Ian did a great job of understanding what I was trying to accomplish and modifying the process for my needs.
BWX TECHNOLOGIES, INC.
Guided Implementation
9/10
N/A
N/A
Workshop: Assess and Manage Security Risks
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Build Program Governance
The Purpose
- Design an effective governance structure for managing security risk.
Key Benefits Achieved
- Security risk management governance
structure
Activities
Outputs
Assess security risk management (SRM) program maturity.
- Program goals and scope
Define SRM governance.
- Roles and responsibilities
Build a security risk assessment framework.
- Risk assessment framework
- Risk tolerance
Module 2: Identify Information Security Risks
The Purpose
- Develop a process for identifying information security
risks.
Key Benefits Achieved
- Defensible and realistic process to identify security risks.
Activities
Outputs
Build a repeatable security threat and risk assessment (TRA) process.
- Repeatable TRA process
Prepare the sample TRA.
- Sample TRA to trial the process
Evaluate relevant assets.
Module 3: Analyze Information Security
The Purpose
- Establish a repeatable methodology for analyzing information security risks.
Key Benefits Achieved
- Leverage artificial intelligence to enhance the analysis of information security risks.
Activities
Outputs
Assess likelihood and impact.
- Process to assess and prioritize security risks
Prioritize security risks.
- List of prioritized security risks
Identify risk treatment options.
Module 4: Treat Information Security Risks
The Purpose
- Define security risk treatment process.
Key Benefits Achieved
- Integrated security risks within IT and enterprise risk management.
Activities
Outputs
Identify quick wins to reduce exposure.
- Risk register with a risk inventory of security risks.
Build risk management action plans.
- Defined and prioritized risk management action plans
Build risk monitoring and communication plan.
Assess and Manage Security Risks
Accelerate your security threat and risk assessments with AI.
Analyst perspective
Enable innovation.
A mature security risk management practice is a critical component of a comprehensive and risk-aware information security program. What is often missed is that a successful security risk management also enables innovation. It not only reduces the residual risk associated with technology use to an acceptable level for the organization but also empowers it to make informed decisions about taking the right risks.
A key challenge with traditional approaches to security risk management is that threat and risk assessments are often too unwieldy to offer complete and real-time insights for decision-making. The key function of security risk management is timely triage, distinguishing between risks that require immediate action and those that can be addressed later. If processes can't do that, then they will fail.
Streamline risk identification and assessment processes to focus on how the organization treats security risks and incorporate them in a comprehensive enterprise risk management program. Next, collaborate with participants to identify, assess, and monitor risks to ensure reliable risk data is available to support proactive decision-making when needed. You don't need to go it alone.
Michel Hébert
Principal Research Director, Security and Privacy
Info-Tech Research Group
Executive summary
Your Challenge | Common Obstacles | Info-Tech's Approach |
A mature security risk management practice is a critical component of a comprehensive and risk-aware information security program. Yet security leaders struggle to:
|
|
Implement a dynamic approach to assess and manage security risks effectively:
|
Info-Tech Insight
Develop a scalable, integrated process to assess and manage security risks, one that leverages best-practice frameworks, draws on emerging technologies to accelerate manual tasks, and enlists organizational participants to ensure reliable security risk data is available when you need it.
Your challenge
Security leaders struggle to develop a reliable process to manage security risks.
Security experts often find it challenging to fit standard frameworks for assessing security risks into their company's specific practices.
There are three specific gaps:
- Lack of structure. There isn't a clear agreement on the basic terms used to talk about security risk and how to evaluate it. Many in the field tend to rely on their gut feelings and what they've learned through past experiences instead of following standardized approaches.
- Lack of timely data. Different groups in the same organization often use different, potentially conflicting information to describe the same aspect of a security risk. To compound the problem of conflicting reporting, underlying data is often too dated to be of use in managing quickly evolving cyberthreats.
- Lack of clarity. Security leaders often lack the expertise to translate security information into the business language of risk management and communicate their needs to upper management.
Common obstacles
The exponential growth of digital landscapes multiplies vulnerable assets
- The rapid expansion of digital technology globally is creating new areas for conflict and enabling various groups, including governments and other organizations, to launch cyberattacks across national borders.
- Technology has become a cornerstone for managing public services and business operations. Governments, communities, and businesses alike rely on technology to complete daily tasks. As we integrate various platforms, tools, and interfaces and the internet moves toward a more decentralized model, this complexity introduces a wider array of security vulnerabilities and increases the potential for critical failures.
- Security experts must contend with this growing attack surface and devise more efficient ways to identify, assess, and manage the security risks that threaten them. Manual risk management methods often do not identify and assess risks quickly enough to offer complete and real-time insights to support strategic decision-making.
Common obstacles
Meanwhile, organizations are facing a record high volume of cyberattacks
US $4.45M
Average cost of a data breach in 2023, a 15% increase over three years and the highest average on record (IBM, 2023)
US $1.54M
Average ransomware payout in 2023, up 89% from 2022 (Sophos, 2024)
8.2B records
Number of records exposed in data breaches in 2023 (IT Governance, 2024)
Yet recent research revealed that less than one in ten (8%) of organizations complete cyber risk assessments monthly, and less than half (40%) conduct them annually (ISACA, 2024).
Info-Tech's approach
Integrate risk management for a more strategic approach to information security
Integrate risk management
A recent study indicates that approximately 30% of organizations aren't just talking about risk but are assessing it, even without a formal risk management framework, while nearly half take an even more serious approach and supplement it with a formal framework. The trend highlights the growing awareness among organizations of the importance of assessing and managing security risks.
The evolving role of CISO
Meanwhile, KPMG's Cybersecurity Considerations for 2024 underscores the evolving role of the chief information security officer (CISO). They are now seen more as proactive partners in managing ongoing business needs rather than being solely responsible for rescuing the organization during times of crisis. This shift implies a more integrated approach to cybersecurity across various organizational functions (KPMG, 2024).
Info-Tech's approach to security risk management (SRM)
1. Define the Scope
Identify assets that need protection and the environment in which they operate.
2. Assess Valuation
Determine the value, operational importance, and sensitivity of each asset and its role in compliance with regulations.
3. Identify Threats
Identify potential threats to each asset (e.g. cyber, physical, or internal threats).
4. Assess Vulnerabilities
Analyze the vulnerabilities that could be exploited by the identified threats.
5. Analyze and Evaluate Risks
Assess the likelihood and potential impact of each threat exploiting a vulnerability.
6. Prioritize Security Risks
Prioritize security risks. Allocate resources to the most significant risks first.
7. Treat Risks
Implement preventive, detective, or responsive security controls.
8. Monitor and Review
Monitor control effectiveness. Update new threats and vulnerabilities and adjust threat and risk assessment (TRA).
Info-Tech Insight
Develop a scalable, integrated process to assess and manage security risks, one that leverages best practice frameworks, draws on emerging technologies to accelerate manual tasks, and enlists organizational participants to ensure reliable security risk data is available when you need it.
Before you proceed
Consider the scope of your risk management project
- This project blueprint will help you:
- Build a basic governance structure for security risk management and align it to enterprise risk management.
- Build a repeatable process to identify, assess, and treat security risks, including a threat and risk assessment process.
- Practice the security risk management process you build on a few key systems or projects.
- If you need to build a broader IT risk management program or integrate security, IT, and enterprise risk management in a single program, try these resources instead:
Info-Tech's methodology to assess and manage security risks
1. Build Program Governance | 2. Identify Information Security Risks | 3. Analyze Information Security Risks | 4. Treat Information Security Risks | |
---|---|---|---|---|
Phase Steps |
1.1 Assess SRM program maturity. 1.2 Define program governance. 1.3 Build a risk assessment framework. |
2.1 Create a repeatable TRA process. 2.2 Prepare the sample TRA. 2.3 Evaluate relevant assets. |
3.1 Assess likelihood and impact. 3.2 Prioritize security risks. 3.3 Identify risk treatment options. |
4.1 Build risk management action plans. 4.2 Build risk monitoring plans. |
Phase Outcomes | Establish the governance structure of the SRM program and align it with the enterprise risk management (ERM) program. | Build a flexible and adaptive approach to TRAs to identify information security risks. | Build a repeatable process for analyzing security risks based on likelihood and impact and prioritize security risks for remediation. | Identify risk response options, identify quick wins for risk mitigation, and build risk management action plans for more complex risks. |
Insight summary
Accelerate security risk identification and mitigation
Develop a scalable, integrated process to assess and manage security risks. This process should leverage best-practice frameworks, draw on emerging technologies to accelerate manual tasks, and enlist organizational participants to ensure reliable security risk data is available when needed.
Integrate the SRM practice
Move away from an approach to security risk management that encourages compartmentalized processes toward a more integrated approach.
Without a common governance framework, effective risk assessment and aggregation at the enterprise level is impossible.
Be proactive
Risk discovery is sometimes methodical or spontaneous. Risk practitioners must identify risks actively rather than constantly reacting to them passively.
Develop a flexible approach to threat modeling and risk assessments to keep pace with cyberattacks' speed, scale, and complexity.
Engage the business
IT security may be the front line of defense against security risks, but risk mitigation often involves costs that exceed the CISO's budget.
Build strong relationships with business owners and involve them in assessing and managing security risks. The business is ultimately responsible for budgeting and risk management decisions.
Share security responsibility
Security risks are business risks since every security issue can affect the business.
Develop a security risk management program that shares responsibility for risk treatment and monitoring with the business.
Encourage accountability
Integrated risk governance is complex. To ensure the success of your SRM practice, build two simple elements into your program: Assign clear responsibilities and accountabilities and establish guidelines for risk reporting and communication.
Build a repeatable process
Threat and risk assessments are critical components of a proactive security risk management program. Build a repeatable process for conducting objective assessments of existing risks and comparing them to the organization's risk tolerance.
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
SRM Maturity Assessment Tool
A maturity assessment for the security risk management program.
TRA Process Template
A template for the security threat and risk assessment process.
Program Governance Tools
The Security Risk Management Program RACI Tool and Security Risk Tolerance Assessment Tool
Security Risk Management Tools
A Threat and Risk Assessment Tool and an Integrated Risk Register
Key Deliverables
The tools and templates that focus on threat and risk assessment are the most important deliverables in this project.
Use them to build a repeatable threat and risk assessment process and integrate it with IT and enterprise risk management.
Keep your organization safe
Measure the benefits of a robust security risk management program
- Baseline the performance of your organization against key metrics before proceeding with the security risk management improvement project.
- Organizations with a successful security risk management program:
- Experience security risk reduction. The number and severity of identified risks decrease over time. This includes tracking resolved vulnerabilities and mitigated threats. Expect an initial increase in the number of risks identified.
- Improve security incident metrics. The number of security incidents decreases over time, along with their impact on the organization and the average incident response time.
- Are more likely to be compliant. Regular audits and assessments are more likely to show the security risk management program adheres to relevant security standards.
Measure the value of the SRM project
Info-Tech's approach will accelerate your success. Estimates reflect advisory and workshop experiences.
Without Blueprint | With Blueprint | ||
---|---|---|---|
Phase 1: Align the SRM program | 1 to 5 people | 1 day | 1-2 weeks |
Phase 2: Identify security risks | 1 to 5 people | 1 day | 4-6 weeks |
Phase 3: Analyze security risks | 1 to 5 people | 1 day | 4-6 weeks |
Phase 4: Treat security risks | 1 to 5 people | 1day | 1-2 weeks |
Time Saved: 10-14 weeks
Benefits are iterative
The value of the project comes from the initial program design, but you will experience benefits over time as well as you iterate the approach and evaluate additional risks more effectively.
Success story
Security Risk Management Workshop
MEMBER
Anonymous
INDUSTRY
Higher Education
SOURCE
Info-Tech Workshop, 2022
A large American university was planning the implementation of a security risk management program across its many campuses to augment an existing enterprise risk management program.
The challenge was to devise a standard security risk management methodology to inform the identification, assessment, and management of security risk campus-wide. The strategic goals of the project were to:
- Promote consistent risk tolerance and risk assessment across campuses.
- Support sound security risk assessment and treatment.
- Support the prioritization and resourcing of security initiatives.
Info-Tech used its security risk management methodology to devise repeatable processes to:
- Conduct threat and risk assessment.
- Conduct objective, proactive assessments of security risks.
- Build concise risk management action plans.
- Identify escalation paths with clear thresholds.
Results
The four-day engagement:
Built a flexible and adaptive approach to threat and risk assessments to identify information security risks proactively.
Built a process to analyze security risks, identify criteria for deeper assessments, and prioritize security risks for remediation.
Built a process to identify risk response options and construct risk management action plans for more complex risks.
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit | Guided Implementation | Workshop | Executive & Technical Counseling | Consulting |
---|---|---|---|---|
"Our team has already made this critical project a priority. We have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process. We need assistance to decide where we should focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place. | "Our team and processes are maturing; however, to expedite the journey we'll need a seasoned practitioner to coach and validate approaches, deliverables, and opportunities." | "Our team does not have the time or the knowledge to take on this project. We need implementation assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used across all five levels of support. |
Guided Implementation
What does a typical GI on this topic look like?
Build program governance | Identify information security risks | Assess information security risks | Treat information security risks |
---|---|---|---|
Call #1: Scope requirements and assess SRM program maturity. Call #2: Review SRM governance |
Call #3: Discuss the scope, timings, and structure of TRAs. Call #4: Review draft of TRA process. |
Call #5: Define criteria to assess risk exposure. |
Call #6: Discuss risk treatment options and risk management action plan. Identify strategy risks. |
A Guided Implementation is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical Guided Implementation takes place in 4 to 6 calls over the course of 4 to 6 months.
Workshop Overview
Pre-work (CxO) | Day 1 | Day 2 | Day 3 | Day 4 | Post-work | |
---|---|---|---|---|---|---|
Build Program Governance | Identify Information Security Risks | Analyze Information Security Risks | Treat Information Security Risks | Next Steps | ||
Activities |
|
|
|
|
|
Finalize Deliverables (Info-Tech):
Post-Workshop (CXO):
|
Outcomes |
|
|
|
|
|
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Recommended workshop participants
Day 1 | Day 2 | Day 3 | Day 4 | |
---|---|---|---|---|
Senior Management (CIO, CRO, CISO) |
✔ | ✔ | ||
Key Business Units | ✔ | ✔ | ✔ | |
IT Security | ✔ | ✔ | ✔ | ✔ |
IT Infrastructure and Operations | ✔ | ✔ | ✔ | ✔ |
Risk Management (legal, risk, HR, audit) |
✔ | ✔ | ✔ | ✔ |
Data Analysts (legal, risk, HR, audit) |
✔ |
Phase 1
Build Program Governance
Phase 1
1.1 Assess program maturity
1.2 Define program governance
1.3 Build a risk assessment framework
Phase 2
2.1 Create a repeatable TRA process
2.2 Prepare the sample TRA
2.3 Evaluate assets
Phase 3
3.1 Assess likelihood and impact
3.2 Prioritize security risks
3.3 Identify risk treatment options
Phase 4
4.1 Build management action plans
4.2 Build communication and monitoring plans
This phase will walk you through the following activities:
1.1 Assess program maturity
1.2 Define program governance
1.3 Build risk assessment framework
Outcome:
- Security risk management governance structure
This phase involves the following participants:
- Chief information officer
- Chief risk officer
- Chief security officer
- Representatives from key business units
- Security team
- Security risk management team
- Audit and Compliance (optional)
Integrate risk management
Siloed risks are risky business
Many organizations struggle to create a unified security, IT, and enterprise risk management approach. Security teams often operate independently, addressing risks primarily during compliance checks or project planning. This leaves organizational leaders out of the loop, with many unsure of their role in managing these threats.
Without a shared governance framework, it's impossible to assess and consolidate risks across the entire organization effectively. This phase aims to shift away from isolated, fragmented approaches to security risk management and move toward a unified, integrated strategy.
The following exercises will help you assess the maturity of your security risk management program, define its governance, and assess the organization's security risk tolerance. Every organization has a limit to the risk it's willing to take, even if that limit isn't formally defined.