Create an ArticleUser Guide

Cybersecurity: The Era of Risk Management

May 28, 2021

iCrowdMarketing powered by iCrowdNewswire



Computers, cyberspace, cybersecurity, hacking, and viruses. These types of techno-terms are a familiar staple in popular culture. Such terms have been mystified and romanticized in our culture through books and the film industry for more decades (think Aldous Huxley, Dan Brown, or the movies Swordfish and The Matrix to name a few). We can even reach back to the 1940s to the root of this term in the word ‘cybernetics’ which defined a man-machine concept. Now, and of course following the internet boom in the 90s and 2000s, the word cyber is most often used in compound combinations with other words like security and crime. Today, cybercrime is not fictional anymore, it is a very real and tangible destructive force felt throughout the entire world economy. To counter cybercrime, something called cybersecurity has appeared. Cybersecurity is not only lightyears ahead of what it was at the beginning of the millennium, but the need for it has sprouted a multi-billion dollar industry too. Cybersecurity strategy today, as opposed to the last decade, for example, is at the very forefront of business functions. Businesses are having to adapt to new threats from cybercriminals as well as tightening interior security controls to stop human error. To briefly mention a few examples, hiring an mssp provider is part of a cybersecurity strategy as much as training employees is, but we will go more in-depth in the next section where we will talk about cybersecurity risk management overall.

What is Cybersecurity?


Cybersecurity refers to the software and hardware tools, knowledge, and policies that serve to defend any connected devices or systems from internal and external threats. More specifically, being cyber-secure entails using a Virtual Private Network as well as knowing not to open fraudulent emails. Cybersecurity is also a mindset. It is a must-have angle for businesses, where without properly managed security solutions or risk management, a business will be hacked, attacked, and have its sensitive data compromised in no time. Cybersecurity can also be deconstructed with the CIA abbreviation (Confidentiality Integrity Availability) where confidentiality refers to access control, integrity to authorization, and availability to the efficiency of the availability of sources.

What is Risk Management?


Risk management is an integral part of any business or enterprise’s project management strategy. In the cybersecurity sector, it is especially important. In cybersecurity circles, risk management is often referred to as a ‘framework’ or ‘assessment’ that businesses employ to fend off cybercrime and consolidate internal security. Risk Management frameworks have several stages, such as the United States’ NIST Cybersecurity Framework (The National Institute of Standards and Technology) which aims to set standards that protect systems and critical infrastructure from cyber risk in sectors such as telecommunications, hospitals, and the medical sector.

Why is Risk Management So Important Today in Cybersecurity?


The concept of risk management in terms of the cybersecurity of a business, is nothing new, not exactly. The difference between the adoption of risk management now and in 2010, for example, is that it is being utilized much more widely to compensate for the rising sophistication and breadth of cyber-attacks. We know that between around 2009 and 2011, in that short period, cyber-attacks only in the U.S. increased by a factor of 17. The Center for Strategic And International Studies (CSIS) tracked around 500 notable cyber incidents over the past decade and found that the number of incidents rose from 21 in 2009 to over 100 in 2019 (incidents that caused over $1 million in damages). The number of cybersecurity incident-related complaints saw a sharp spike in 2019 and onwards compared to all of the years before. Cyber threats are evolving every day, and organizations must take a stance or a risk-based approach with regular monitoring, reviewing, assessment and training. Risk management is a key requirement for compliance and several cybersecurity regulations and frameworks such as the GDPR, CCPA, DoD RMF, FAIR, and NIS Regulations. There are also the ISO 27001 and ISO 27005 information security standard frameworks, which state that organizations must have an information security assessment instated.

Cyber Risk Management


Creating a risk profile that is unique to the organization will be the most efficient strategy because addressing irrelevant threats and/or false positives will be removed from the equation. Cybersecurity risk management can be broken down into the stages of;

  • Identification

  • Analysis

  • Evaluation

  • Prioritization

  • Mitigation

  • Monitoring


A cybersecurity risk management strategy first begins with a risk assessment, which will outline the potential threats to the organization as well as categorize them by severity. The United Kingdom’s National Cyber Security Centre states: “Risk management in the cybersecurity domain helps ensure that the technology, systems, and information in your organization are protected in the most appropriate way and that resources are focused on the things that matter most to your business. A good risk management approach will be embedded throughout your organization and complement the way you manage other business risks”.

The NCSC also outlines the following points that are risk-based approach (risk management) to the cybersecurity of systems and data;

  • An organization should think about its priorities and objectives first, and the risks it is willing to take to achieve these. This thought process will help an organization clarify cybersecurity risks

  • An organization needs to make its board aware of the policies and type of governance required for the efficient and effective implementation of a risk management strategy

  • An organization needs to know where cyber risk management will be applied e.g. talking to personnel who use the systems will offer insight into what needs to be protected and why

  • An organization must take into account the cybersecurity of external factors such as the supply chain, cloud services, and third-party services it employs

  • An organization must take the human factor into account, which means how employees interact and use systems, services, and technologies and whether that human factor is proper and efficient. Information sharing from the board to the employees will guarantee good communication about cyber risks

  • An organization needs to choose its cyber risk management solution, which means selecting a solution that reveals risk information. An organization can also take multiple other approaches such as mixing different methods, tools, frameworks, and security strategies for a tailored cybersecurity approach (MDR, MSSP, SIEM, etc)

  • An organization needs to think about how to manage risks, meaning whether cybersecurity insurance is required, or if the control will be added, or if a risk must be accepted for efficiency

  • An organization should strive to continually improve its risk management strategy, by auditing, reviewing, revisiting, and monitoring all the elements


According to AT&T Cybersecurity, cyber risk = Consequence of attack x likelihood of attack. This equation takes into account that it is not a question of whether the cyber risk will take place, but when it will take place. With a proper risk management strategy, the organization will have the proper controls set up that are aligned with the business model to fend off cybercrime as much as possible while complying with international information security standards and allowing the board of an organization to make informed decisions.