Speaking at RSA Conference 2019 on ‘Defining a cyber-risk appetite that works,’ Jack Jones, chairman of the FAIR Institute, discussed the need to create a risk appetite, and how to identify what you need a risk appetite for.
He said that having a risk appetite “depends on your situation” and this is not a static thing, and can change and can still be a useful tool in risk management.
Highlighting comments on why you need to bother with a risk appetite, Jones said that it can:
- Provide clarity in expectations
- Improve focus in risk management efforts
- Improve communication with stakeholders
- Reduce the likelihood of unacceptable loss
Jones said that companies need to determine what an unacceptable loss is and this can be one that can be based upon choosing a scenario on what your organization does.
He said: “What is the loss or event scenario you care about: maybe it’s disclosure, outage, non-compliance or financial mis-statement – it could be all of them, and by defining distinctly you could define it and manage risk appetites.”
Jones encouraged “drawing a line in the sand” and used the example of losing no more than one million customer records, and to “start there and get a handle” and lower the bar to increase the protection of your crown jewels. “This is a starting point.”
Once you have a risk appetite after determining your crown jewels, consider the probability of something happening and the landscape the assets are in.
“Assets with one million records, find them in privileged systems that are internet-facing, and those with no more than one exploitable condition (such as SQL or weak passwords) and review every three years,” he said. For assets which are not internet-facing, allow no more than two exploitable instances.
Jones also recommended defining risk appetites for scenarios like outages and financial reporting, and loss of intellectual property. “Criteria needs to be realistic and actionable.”
So once the appetite is defined, Jones recommended staying aligned by updating crown jewel information, and ensuring that any proposed crown jewel and policy exception goes through approval, and personnel with privileged access pass an exam that demonstrates an understanding of their risk management responsibilities.
“Simply being explicit on lines can have a huge effect on objectives,” he said. “An ability to focus on what can burn organizations, improve communications and reduce probability of an event of this magnitude is part of a risk appetite.”