Cyber Security - Risk vs Controls vs Compliance

January 7, 2023

Cyber Security - Risk vs Controls vs Compliance

In today's business world, cybersecurity risk is a top concern for CEOs and other business leaders. With the increasing frequency and sophistication of cyber attacks, it's more important than ever to have strong cybersecurity controls in place. However, compliance with various security standards can be confusing and time-consuming. In this blog post, we'll help you understand the relationships between cybersecurity risk, controls, and compliance so you can make informed decisions about protecting your business.

Defining cyber security risk, controls, and compliance

Cyber security risk, controls, and compliance can be overwhelming concepts to understand, since security standards and the related controls span multiple domains. The most widely accepted security standard for tracking cyber security risk and compliance is ISO/IEC 27001. For US Federal agencies, the National Institute of Standards and Technology (NIST) 800:53 is also an important security standard that should be followed. To achieve effective security management and accurate security posture tracking, it's important to understand the difference between risk, cybersecurity controls and compliance.

Risk

Cybersecurity risk is the probability of exposure or loss resulting from a cyber attack or data breach on your organisation. Another definition is that risk is the chance of something happening (the effect of uncertainty on objectives) with potentially positive or negative consequences.

The standard formula for assessing a cyber security risk is: Likelihood (Threat x Vulnerability) x Impact = Risk, where:

  1. Likelihood - means the chance of something happening.
  2. Threat – a malicious or negative event that takes advantage of a vulnerability.
  3. Vulnerability – a weakness, flaw or other shortcoming in a system (infrastructure, database or software), process, or set of controls that could be exploited by a threat.
  4. Impact– the potential impact to a business or person such as loss of money, physical harm or other impacts.

Controls

Cybersecurity controls refer to a suite of process, technical, people and contractual measures that aim to prevent and detect, potential security events that could lead to a significant incident.

Controls help to mitigate the threat associated with a risk occurring by removing or mitigating the vulnerability of a process, person or system. In relation to Risk controls help to reduce the likelihood or a risk occurring.

Compliance

Compliance is the action or fact of complying with a particular command or requirement. Internal and external audits are typically conducted to assess a businesses compliance against a standard or regulation or internal set of rules such as possibilities and procedures.

In the world of cyber security compliance is often assessed by conducting cyber security assessments against a checklist of controls against standards and laws.

What comes first - Risk or Controls?

Navigating where to start when it comes to identifying risks and selecting the right controls to adhere to can be a daunting task. With so many standards featuring an array of controls, it can be difficult to assess where exactly to begin. Not all controls are equal as some may not apply or be necessary in relation to specific assets, making decisions around which should be selected even more tricky. To successfully identify the relevant applicable controls and ensure they are tailored and appropriate, one should conduct a risk assessment where they analyse where potential risks lie and implement measures that help mitigate those risks appropriately. Simply having large amounts of Controls isn’t enough, rather the aim should be for them reduce the actual risk posed - otherwise where is the return on investment?

Identifying risks

Risk Scenarios are good place to start. A risk scenario is a short description of a vulnerability, threat, and potential impact.  For example "Inadequate management of the lifecycle of identities and credentials leads to unauthorised access to sensitive information resulting in a significant data breach" where:

  • Vulnerability = Inadequate management of the lifecycle of identities and credentials.
  • Threat = Unauthorised access.
  • Impact = A significant data breach

Are Risk Scenarios unique to every business?

As risks are at a higher level than controls many businesses face the same risk.  Our research shows that when assessing over 100 different types of businesses they all faced similar risks which can be summarised as "Weak controls resulting in unauthorised access or system / process failure".

The difference between each business and what makes each businesses risk profile different is:

  1. Which specific risk scenarios apply (typically associated with the type of information and assets they use)
  2. The potential impact of a risk (direct association with the business revenue or societal impact of data being misused)
  3. The types of controls used to mitigate the risk (associated with the assets they use, people they employ, locations they operate in and processes they use to support controls).

With over 100 years of combined experience the team at InfoSecAssure ensures that risks are taken care of for your business. Contact us today for a free consultation.

The importance of Risk and Control Assessments

Assessments help to identify how well controls are securing you and your suppliers business and in turn how likely it is that a risk may eventuate. Assessment outcomes are key in helping businesses understand how well they are mitigating risks, or meeting regulations and other standard requirements – not only necessary for preventing legal penalties, but also critical in preserving employee and customer trust.  Assessing what has already been accomplished also helps identify where to focus next; businesses can use this data to determine where resources should be invested for best return on investment. In summation, assessments provide an excellent resource for businesses when it comes to managing security, safety, and legal compliance.

Issues with assessment approaches

Many approaches to assessing security exist, from engaging a consultant to using a questionnaire or automated tool.

Engaging a consultant - Consultants have a core set of skills that can help business start their security journey and provide advice on how to uplift security to best meet their needs.  Consultants often come with their own tools sets and can be engaged to conduct risk and control assessments, set up policies and procures and develop strategic plans.  Consultants also cost between $1,200 to 3,000 per day depending on their experience.

Security questionnaires - Security questionnaires are a way of asking suppliers or parts of your business the same questions so that controls gaps can be identified.  Unfortunately questionnaires are often not well written and can sometimes miss the point of the control, resulting in answers that do not reflect the true state of the business. Additionally, the controls referred to in questions may not be properly aligned with your specific assets that require protection. Assessment answers that mean nothing - In the example below we asked if this business had security cameras, it was answered positively. However, upon further inspection, the placement of the cameras are less than ideal and creates an ineffective control system - as shown in the image below. Unfortunately, this causes the cameras to be far less efficient than desired due to the bad location choice. Furthermore, the utility in regards to safety and surveillance is greatly reduced. As it stands right now, even though security cameras may be present on site, they are unable to achieve their intended goal due to a poor installation procedure.

Automated tools - Automating reporting about key controls gives technology and business leaders information about how well a specific control is operating.    This is great for seeing what % of systems have a patch applied or what % of people have undergone training or enrolled in your latest control upgrade.  Not all cyber security processes are of a technical nature so these are typically harder to provide automated reporting for.  Also there are some cases where reporting may not reflect the actual current state or miss data that may indicate a weakness in control.    For example say your report shows you what % of patches have been applied?  But what if the tool isn't scanning all the systems?  Your also need another report to scan all systems to provide a % coverage report.  The list goes on. And what happens when the business implements a new system or changes how one works?  The number of systems and processes you would have to set up to measure every control in your organisation through automate reporting is resource intensive.   Most automated tools that repot security data give you some information not all and are are useful for providing evidence during risk and control assessments.

Assessments should have multiple outcomes

Cyber security assessments can serve many useful purposes, from identifying weak points to developing the ability for teams to effectively manage audit activities. Having multiple outcomes from an assessment allows a better understanding of the current state of security and will help your team articulate their security posture to clients and other stakeholders more clearly. Assessments should provide information about any weaknesses so that steps can be taken to mitigate them, as well as providing feedback on where further improvements should be made. By assessing risk in this way, Cyber security teams are greatly improving their ability to guard against potential threats.

Holistic approach to assessing cyber security risk and controls

At InfoSecAssure we spent years studying the issues we describe above and developed a solution which offers businesses and their advisors with a balanced approach between assessing controls, identifying risks and ensuring multiple practical outcomes can be achieved, every time.  Our simple approach to assessing the controls within your business allows you to quickly identify your risks, your control maturity and your compliance across key security standards.  No system integration is required, just get the right people to answer the carefully crafted questions within one of our assessments and you will instantly get a complete in-depth view of risks, control maturity and compliance outcomes.  

Who should measure your controls and what skills should they have

Measuring your controls is a critical activity that requires skills across a variety of areas. The key skills required to be a good assessor include understanding both the technical and non-technical controls, having knowledge of threats and how different controls can work together to mitigate them, as well as being able to collect evidence when needed. Additionally, an effective assessor should possess people skills in order to interpret people’s roles, activities and practices accurately and not just accept the sales pitch or standard yes or no responses. Furthermore, depending on the type of risk being assessed, having both risk skills and an understanding of IT security is also be essential for success. Moreover, assessors should have a strong business focus so they can deliver effective results that can have meaningful business value.

By signing up for InfoSecAssure you don't have to be a cyber security professional as we help you by giving clear instructions and explanations, with guidance for each question and related control that are easy to understand.

Risk Should Be The Main Focus

Cybersecurity risk has the ability to severely affect any organisation. It is the probability of an attack or breach that compromises data, technical infrastructure and an organisation's overall credibility. It is the result of unpredictable events with increasingly devastating ramifications. Understanding the depth of exposure these risks can cause is essential to guarding your business against severe losses. That's why cyber risk must be addressed holistically.

Ultimately in order to implement comprehensive security measures across assets it's important for organisations to take an holistic approach of addressing cyber security risk, controls, and compliance.

InfoSecAssure hope that this article helped to clear up some confusion around the difference between cyber security risk, controls, and compliance, what goes into a cyber security assessment, why they’re important, and how to get the most out of them.

We offer a tool to help you get the best outcome from your assessment and turn any non-cyber person into a cyber security expert. Contact us today for a free demo.

Book a free demonstration or talk to one of our team today to uncover how we can help ensure you align to standards while also understanding your risks and knowing what action to take to keep your business secure.

Contact Us
Secure your business.
Today is the day to build the business of your dreams. Let us help you secure your assets without blowing your budget — and focus on the things that count!