Article by Rob Guegan, Principal Consultant and Logiq co-founder. Written for and first published in Network Security (March 2024, Issue 3)
Increased digitisation and connectivity have led to a surge in the frequency and sophistication of cyber threats, and it has become a major concern for all organisations. This includes complex global businesses, supply chain management systems, Government departments and national security protection across the globe.
In their 2023 Annual Review, the UK’s National Cyber Security Centre (NCSC) aimed to raise awareness of the increasingly unpredictable landscape, where critical sectors are facing “enduring and significant” threats. This highlights the need for organisations of all levels to fortify their defences against cyber threats amid rising state-aligned groups, aggressive cyber activity and geopolitical challenges.
It is no longer effective for businesses to take a reactive approach to cyber risks or case-by-case management. Additionally, the attainment of compliance against a standard or achieving a certificate may not be enough to effectively manage security within an organisation. Instead, continual risk management should be central to any security strategy, as well as using this to help organisations focus on how to improve the design, implementation, and maintenance of security in critical systems.
In this article, we explore what continual risk management means for organisations and how it is already improving cyber security practices.
What is continual risk management?
Continual risk management refers to the practice of understanding and consistently reviewing cyber risk throughout the entire life cycle of a system, programme, or project. It helps to arm organisations with better-protected systems that are well-equipped to ward off potential security threats.
This ongoing monitoring and assessment enables organisations to identify, analyse, and respond to changes in the threat and business landscape, allowing them to take measures to minimise the chance of them falling victim to a successful cyber-attack. The inclusive nature is a key strength of continual risk management, meaning that security analysis is integrated into all business processes and security risk status is reported with other major business metrics, reducing the risk of oversight during critical decisions.
Continual risk management also acknowledges the intricate nature of security, recognising that it can be heavily influenced by various factors like commercial strategy, sub-contracts, and technology. All too often a procurement strategy is undertaken with little consideration of security, resulting in a fait accompli acceptance of risk or forcing security teams to play catch-up to try and understand and manage a new supply chain security challenge. A continual risk management approach for security supports a holistic understanding of an organisation’s exposure to security risk and empowers teams to adopt an agile and nuanced approach to managing and minimising their unique risks.
In their guide about risk management, NCSC confirms that it should be a continuous process and that organisations should review cyber security risk exposure, assessments, and controls at regular intervals and whenever there are significant changes. This includes ensuring that controls are appropriate and proportionate to the management of risks.
The NCSC also state that it should be “designed to be in place for the lifetime of the business that a system or service is supporting, not simply for the lifetime of the project/programme delivering the system or service.” In essence, continual risk management is about having a process that provides an evolving and ever-changing view of risk that helps businesses to be secure enough at all times.
How does it differ from compliance?
Risk management is not new to security. In fact, it is a central tenant of almost every security standard ever written. However, traditional compliance can often be very static and only done as a one-time adherence to standards, processes or practices. Businesses were often more concerned about showing they had a risk assessment to meet regulations rather than using it as a tool to support decision making.
In the past, organisations conducted risk management exercises for compliance reasons, which included external pressures, customer demands, and legal constraints. 4 However, this raises several issues. Firstly, it leaves security risks to be considered as an afterthought. If an organisation is only thinking about cyber threats in terms of compliance, there’s a chance that they do not completely understand their cyber risk, leaving them more vulnerable to attack. Secondly, it means the focus of the security work is to simply try and reduce risk or show how it has been reduced, rather than using risk as a tool to support the development of a solution that is secure enough to meet the business needs and help it achieve its objectives.
Moving it to continual risk management means that it is no longer a one-time, static, tick-box exercise. Having risk integrated throughout an organisation’s business and development processes enables security risk to include perspectives from across the business, allowing better decisions to be made, and reducing the likelihood of a company being affected by a cyber incident.
What are the benefits?
There are several ways in which implementing continual risk management stands out as providing more benefits for a business. Firstly, the proactive approach focuses on anticipating and addressing security risks during the system design phase, unlike compliance-only methods that often starts once a design is fairly mature.
This is better for a company’s agility and innovation, as it requires organisations to consider the security objectives from the outset that the system needs to achieve to successfully support the business’ needs and it also allows risk analysis to be started to identify the ways those objectives may be compromised. In turn, this is also an effective future-proofing tactic as systems that are ‘secure by design’ i.e., secure, resilient, and adaptable, won’t be locked into static requirements.
Secondly, while many organisations may consider compliance-centric risk management to be a quicker and easier method to apply, integrating security and continual risk management from the outset allows the early identification of regulatory requirements, maximising opportunities for efficiency by aligning multiple regulatory needs and reducing the risk of non-compliance. This encourages ongoing monitoring and improvement of security practices, while keeping cyber security as a top priority that is adaptable to evolving requirements.
Businesses can achieve compliance and certification proactively by using existing processes for evidence and working practices. It also helps them to avoid the creation of new policies solely for compliance purposes.
Finally, aligning security with business objectives leads to a stronger focus on achieving an organisation’s mission and goals. Involving all employees, including senior management, end users, project managers, engineers, and commercial teams, educates and empowers them to take ownership and responsibility for designing and managing security and engaging in conversation about security risk. This approach, if correctly documented and recorded, naturally generates the information and evidence that supports gaining and maintaining security assurance.
As a result, shifting the focus away from compliance and accreditation to an outcomes and objectives-based approach means that these businesses will be better equipped to deal with the complexity of the security challenges faced by many organisations today.
How is the UK’s Ministry of Defence implementing continual risk management?
Secure by Design, the Ministry of Defence’s (MOD) approach to cyber security, changes the traditional compliance paradigm. It is a fundamental shift in cyber risk management across the MOD, and its supply chain and it is now mandated across all Government departments. Its core objective is to make delivery capability secure, trustworthy, and resilient to cyber-attack by integrating cyber security and resilience into systems from their inception, as well as making sure that security is designed and developed in line with rest of the capability, and ensuring the security objectives are focussed on supporting organisational goals.
Unlike accreditation-centric models, it highlights that responsibility for security rests with capability owners and Senior Responsible Owners (SROs), offering greater autonomy and ownership over system risks. This decentralised approach encourages teams to innovate and manage security effectively, recognising that those designing and building systems are best suited to handle inherent risks.
It also empowers teams to adapt to new methodologies and allows different departments to customise it to fit the needs of their organisation and their specific circumstances. By doing this, it reflects a commitment to change and provides the acknowledgment that security is a collective responsibility requiring a holistic and proactive response at all levels of an organisation.
Aligning security activities with management and engineering processes ensures security risk is built into the development and business processes and that it uses existing risk management procedures rather than being siloed separately. As a result, security becomes a focus throughout and is balanced against various other system considerations like cost controls, system integration, user experience, safety, and logistics.
A modern approach to cyber risk management
Ultimately, continual risk management is focussed on delivering a security solution that supports business objectives and in doing so, it is also helping to shape the future of cyber security. And in a world where the threats continue to increase and evolve, it’s never been more important to understand how security risks can have a devastating effect on your organisation achieving its business objectives as well as the necessary steps to proactively manage these threats.
Get in touch if we can help your organisation kickstart your own unique cyber security and risk management journey.
