What is Risk?
IT Risk has many facets and is often not a well understood topic; in some cases the very definition can be elusive. When it comes to the cybersecurity and information technology fields, the National Institute of Standards and Technology (NIST) is one of the authoritative sources for which to seek answers.
According to NIST Special Publication (SP) 800-30, Guide for Conducting Risk Assessments, risk is defined as:
"a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence."
The One-Page Risk Management Plan is based on the A3 technique, which was originally created by Toyota as a problem solving method. The name A3 comes from the fact that when the process is complete, all of the relevant information can fit on a standard A3 size piece of paper.
While the A3 technique was originally designed for problem solving during manufacturing, it can also be a valuable tool for risk management. You can be use the technique to guide the risk management process and ensure that all critical information is captured in a concise manner.
So, you have identified a risk in your organization or project ... now what? When a risk is identified there are four strategies you can use to address it. The strategies can be remembered using the acronym ACAT:
Cyber security is a two-sided coin; on one side are all of the technical controls needed to maintain security and on the other the operational processes required to manage them. Just like a coin, both sides need to be in tact for it to be whole.
Unfortunately many organizations dedicate a disproportionate amount of resources to technical controls at the expense of properly managing their operational processes. It is not uncommon for such organizations to spend large sums of money on the latest technical security gadget only to find themselves getting hacked anyway.