Management, compliance & auditing

Expert Interview: Security & IT Risk Management Best Practices

Dimitar Kostadinov
February 28, 2018 by
Dimitar Kostadinov

There is a certain correlation between a risk and an issue. To put it in simple terms, an issue is the result of a risk being realized. Therefore, risk management plays a vital role in proactively addressing potential cybersecurity problems before they occur. As the graphic below shows, however, many companies do not have a formal IT risk management program in place.

Despite its obvious usefulness, businesses are often unsure whether or how to implement risk management in their normal activities. Questions they struggle to answer may include:

  • What risk management program would be appropriate for my business?
  • How will it affect my business dealings?
  • Who should I turn to for advice on risk management matters?

To help answer these questions, I asked Emilian Papadopoulos, president of the Washington D.C.-based company
Good Harbor Security Risk Management, to share insight into risk management best practices.

1. What does your risk management program include and how is it aligned with the business goals of your clients?

Papadopoulos: The companies with the best cybersecurity programs start with risk management and governance. Management teams first need to discover and prioritize the biggest cyber risks based on their unique business operations, customers, regulators and other stakeholders. The most important risks vary by company, even within the same sector.

Second, management teams need good governance, including an officer who is accountable for cyber security, good reporting to the CEO and/or board, and a whole-of-enterprise effort to get all parts of the business contributing to cybersecurity. Once those fundamentals are in place, the management team can drive cyber security measures like policies and technologies to mitigate the biggest risks.

2. What are your risk management recommendations for businesses of different sizes?

Papadopoulos: Every enterprise is different. For large enterprises, one of the challenges is keeping pace with the evolving threat while "turning the Titanic" in terms of company-wide budgeting, staffing, technologies and processes. Good governance helps.

Change management is also critical, since too many rapid changes can frustrate employees if they do not understand why cybersecurity is important and challenging; good training and awareness activities can help employees develop a culture of cybersecurity that enables rapid change by cybersecurity teams and management.

For small organizations, three of the most useful best practices are:

  1. Minimizing digital footprint ("do I really need to store that data in the first place?")
  2. Getting support from big enterprise customers (if you are a B2B company) who want your cyber security to be successful
  3. Using outsourcing effectively, for example by contracting with a managed security services provider (MSSP) to monitor networks and respond to incidents

Concluding Thoughts

These very informative answers prompted me to draw some inferences. Identifying risks related to a given company is important, but of equal importance is having an excellent team versed in cybersecurity to substantiate security policies in place, among other things. The graphic below supports my observation:

There are specific risks that tend to go hand in hand with businesses of different sizes. While too much occupational labor mobility and non-existent/ineffective cybersecurity training and awareness are large enterprises' Achilles' heel, small businesses should consider seeking the help of trusted experts to mitigate security risks.

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.