Table Of Contents
Risk management frameworks like the CIS Critical Security Controls (CIS CSC) and the National Institute of Standards and Technology (NIST) frameworks have become indispensable tools for organizations aiming to protect their digital assets and ensure cybersecurity resilience. They provide structured, industry-recognized guidelines for identifying, managing, and mitigating risks.
However, while these frameworks offer significant value, they cannot show the full picture for an organization. One of the key challenges is that these frameworks do not completely cover all the risks specific to an organization. Frameworks are generalized by nature, focusing on common threats and vulnerabilities rather than addressing the unique risk landscape of individual organizations. Additionally, the importance of identifying and understanding an organization’s risk tolerance is often underemphasized in these frameworks.
Organizations must understand the deficiencies of risk management frameworks in order to augment their value with a more tailored approach to risk assessment that considers organizations’ unique context.
The limitations of generalized risk coverage
The CIS, NIST, FFIEC, CMMC, HIPAA, PCI-DSS, and other frameworks provide a comprehensive set of controls and best practices that organizations can implement to enhance their cybersecurity posture. For instance, the CIS Controls focus on implementing basic cyber hygiene practices, such as inventorying and controlling hardware assets, securing configurations, and continuously monitoring for vulnerabilities.
The NIST risk management framework helps organizations address security weaknesses. Source
Similarly, the NIST framework offers a broad set of guidelines across five core functions:
-
Identify: Establish an understanding of your organization's cybersecurity risks, assets, and resources to manage them effectively.
-
Protect: Implement safeguards to limit or contain the impact of potential cybersecurity events.
-
Detect: Develop and maintain the capability to identify cybersecurity incidents promptly.
-
Respond: Take appropriate actions to contain and mitigate the effects of a detected cybersecurity event.
-
Recover: Implement processes to restore systems and operations impacted by a cybersecurity incident.
However, one of the critical limitations of these frameworks is their generalized nature. Designed to be applicable across various industries and sectors, they provide a "one-size-fits-all" approach to threat detection and response. The frameworks are put together by teams of security scientists and experts and often boil down to “least common denominator” coverage.
While this generalization ensures broad applicability, it also means that the frameworks may not address the unique risks specific to an organization. For example, a financial institution will face different risks than a healthcare provider. The former may prioritize risks related to financial fraud and insider trading, while the latter may be more concerned with patient data privacy and regulatory compliance.
Moreover, risks associated with a specific company are often overlooked by these frameworks. For instance, if you sell 80% of your product to a single buyer, that represents an additional risk that usually is not addressed in the frameworks.
These frameworks often lack the granularity needed to address sector-specific risks comprehensively. While they provide a solid foundation, organizations must go beyond these frameworks to identify and manage risks unique to their operations, industry, and threat environment. Without this tailored approach, organizations may find themselves exposed to risks that the frameworks do not explicitly cover.
The importance of contextualizing risk
Risk management should be contextualized to the specific environment in which an organization operates. The risks an organization faces are influenced by various factors, including its industry, size, geographic location, business model, and technological landscape. A risk management strategy that does not take these contextual factors into account is likely inadequate. The aforementioned frameworks are a great starting point, but they must be followed up with context that may increase or diminish the risk profile for the organization.
For instance, a multinational corporation with operations in multiple countries will face different risks than a small business operating in a single region. Multinational corporations must consider geopolitical risks, supply chain vulnerabilities, and compliance with different regulatory regimes. In contrast, small businesses might be more concerned with local market conditions and maintaining business continuity amid regional disruptions.
Organizational structure and culture can also determine the most significant types of risks. An organization with a decentralized structure may face challenges related to inconsistent implementation of security controls across different business units. Meanwhile, a highly centralized organization may be more vulnerable to single points of failure.
Organizational risk tolerance: A critical component
A critical aspect of effective risk management is understanding and defining the organization’s risk tolerance. Risk tolerance refers to the amount and type of risk an organization is willing to accept in pursuit of its objectives. This is a strategic decision that should be aligned with the organization’s overall business goals and guide the risk management process.
Unfortunately, many risk management frameworks, while comprehensive in their guidance on identifying and mitigating risks, do not adequately emphasize the need to establish and understand risk tolerance. This can lead to a misalignment between the risk management strategy and the organization’s actual risk appetite. For instance, an organization with a low risk tolerance may prioritize rigorous controls and conservative risk mitigation strategies, whereas an organization with a higher risk tolerance may be more willing to accept certain risks in exchange for potential business opportunities.
Failing to identify and align risk management practices with organizational risk tolerance can result in overprotecting or underprotecting the organization. Overprotection can lead to unnecessary costs and operational inefficiencies, while underprotection can expose the organization to significant threats that could jeopardize its objectives.
Risk tolerance also helps employees understand what is important from a risk perspective in their daily jobs. All employees make risk assessments and mitigation activities in their daily functions. For example, a software developer must determine when they have created an adequate amount of error handling in a software routine. Achieving this goal could take an hour when three weeks is what is expected by management — or vice versa. Either way, if the employee isn’t aligned with the company’s risk tolerance (risk appetite), their work will not be considered “good.”
Beyond frameworks: Tailoring risk management to organizational needs
To address the deficiencies in generalized risk management frameworks, organizations tailor their approach to consider their specific risk landscape and risk tolerance. This involves several key steps:
-
Risk identification: Organizations conduct a thorough risk assessment that goes beyond the baseline provided by frameworks like CIS CSC and NIST. This assessment should consider the organization’s unique operating environment, business processes, and strategic objectives. Engaging stakeholders from different parts of the organization can help ensure that all relevant risks are identified.
-
Risk prioritization: Once risks have been identified, they are prioritized based on their potential impact on the organization and the likelihood of their occurrence. This prioritization should be informed by the organization’s risk tolerance, ensuring that the most significant risks are addressed first. The likelihood of occurrence is best understood as a frequency of occurrence. For example, you can accurately measure likelihood by determining how often a risk occurs per week, month, or year.
-
Customization of controls: While frameworks provide a solid foundation, organizations should customize the controls and mitigation strategies to address their specific risks. This may involve adopting additional controls, modifying existing ones, or even developing new controls that are better suited to the organization’s needs.
-
Continuous monitoring and review: Risk management is not a one-time activity but an ongoing process. Organizations must continuously monitor their risk landscape and adjust their risk management strategies as needed. This includes regularly reviewing and updating their risk tolerance to reflect changes in the organization’s objectives and operating environment.
-
Integration with business strategy: Finally, risk management should be integrated into the broader business strategy. This ensures that risk management practices are aligned with the organization’s goals and that risks are managed in a way that supports the organization’s success.
It is important to note that modifying a risk framework may cause concern for the auditors. Sometimes, auditors will review the company’s risk list and expect it to follow a specific framework to the letter. Collaborating with auditors helps ensure they understand that a generic framework only loosely identifies risks and likely requires modifications to align with the organization's specific needs.
Looking ahead: A holistic approach to risk management
While frameworks like CIS Critical Security Controls and NIST provide valuable guidance for managing risks, they are not without limitations. Their generalized approach means that they may not fully address the unique risks that different organizations face. To effectively manage risk, organizations must adopt a tailored approach that considers their specific context and risk tolerance. By doing so, they can ensure that their risk management strategies align with their business objectives and provide adequate protection against the threats they face.
In the ever-evolving world of cybersecurity and risk management, a one-size-fits-all approach is no longer sufficient. Organizations must be proactive in identifying and addressing their unique risks to safeguard their success.
At L2L, keeping our customers' data secure is our top priority. Visit our Security and Compliance page to learn more.